--- a/go.mod
+++ b/go.mod
@@ -2,6 +2,8 @@ module tailscale.com
 
 go 1.19
 
+replace github.com/coreos/go-iptables => ./patched/go-iptables
+
 require (
 	filippo.io/mkcert v1.4.3
 	github.com/Microsoft/go-winio v0.6.0
--- a/patched/go-iptables/iptables/iptables.go
+++ b/patched/go-iptables/iptables/iptables.go
@@ -149,12 +149,39 @@ func New(opts ...option) (*IPTables, err
 	return ipt, nil
 }
 
+func NewFake(opts ...option) (*IPTables, error) {
+
+	ipt := &IPTables{
+		path:		   "/bin/false",
+		proto:		   ProtocolIPv4,
+		hasCheck:	   false,
+		hasWait:	   false,
+		waitSupportSecond: false,
+		hasRandomFully:	   false,
+		v1:		   0,
+		v2:		   0,
+		v3:		   0,
+		mode:		   "legacy",
+		timeout:	   0,
+	}
+
+	for _, opt := range opts {
+		opt(ipt)
+	}
+
+	return ipt, nil
+}
+
 // New creates a new IPTables for the given proto.
 // The proto will determine which command is used, either "iptables" or "ip6tables".
 func NewWithProtocol(proto Protocol) (*IPTables, error) {
 	return New(IPFamily(proto), Timeout(0))
 }
 
+func NewFakeWithProtocol(proto Protocol) (*IPTables, error) {
+	return NewFake(IPFamily(proto), Timeout(0))
+}
+
 // Proto returns the protocol used by this IPTables.
 func (ipt *IPTables) Proto() Protocol {
 	return ipt.proto