Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-08-2014, 03:46 AM   #1
LQ Newbie
Registered: Nov 2014
Posts: 3

Rep: Reputation: Disabled
Question Debugging NAT / prerouting issues (iptables)


Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop).
It seems that the problem Android specific, but essentially it comes from the Linux kernel.

I already filed a bug report to Google. You can see the details by searching for 'Android Issue 78910' - it's the first result that pops up.
However, I will be very grateful if anyone could suggest how to debug this in order to resolve it faster.

In a nutshell, my setup consists of 2 interfaces = wlan0 (WiFi AP) and tun0 (VPN tunnel).
My goal is to provide full VPN access to one of the WiFi clients, while additionally forwarding all traffic coming from a specific IP in the VPN to the same client as well.
In my test case the WiFi client address is and the VPN address in question is

I am adding the following IPTABLES rules in order to do that:

echo 1 > /proc/sys/net/ipv4/ip_forward;
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE;
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -i tun0 -o wlan0;
iptables -A FORWARD -j ACCEPT -o tun0 -i wlan0; iptables -t nat -A PREROUTING -s -j DNAT --to-destination;

This was working perfectly fine before upgrading to Android 4.4.
When I check the IPTABLES stats I can see that my rules are no longer matching any of the packets.
Monitoring the traffic with TCPDUMP shows that the packets are received and have the correct parameters, so it seems like they are not handled properly by the kernel.

I have downloaded the Android kernel source code, but a lot of things have changed between 4.3 and 4.4, so it won't be easy to find the cause there without strong networking knowledge (which I don't have). The main thing is that Google added UNIX-like multi user support to the OS, which required all of the previously used routing rule setting mechanics to be changed.

As I said, I am quite new to Linux networking, so any help and suggestions will be greatly appreciated.
I am not relying on Google to solve this, as this bug has been out there since last December and apparently the impact is not big enough for them to prioritize (or even acknowledge) it.
However, this is a major setback and a show stopper for my product.

Old 12-07-2014, 05:22 AM   #2
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Fixed himself Nov 13th, see
Off the 0-reply list now.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Destination NAT in Prerouting Hook ? paradox_mgh21 Linux - Kernel 1 12-05-2011 06:12 AM
iptables nat prerouting redirect issue - rhel 5.5 64-bit wischad Linux - Networking 1 11-12-2010 08:29 AM
iptables - port forwarding through nat issues web_janitor Linux - Networking 2 01-23-2009 06:16 PM
Need help debugging iptables firewall/nat gateway jcllings Linux - Networking 4 11-08-2008 05:19 PM
Nat Prerouting lambmt Linux - Networking 5 10-07-2003 08:17 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:51 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration