Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop).
It seems that the problem Android specific, but essentially it comes from the Linux kernel.
I already filed a bug report to Google. You can see the details by searching for 'Android Issue 78910' - it's the first result that pops up.
However, I will be very grateful if anyone could suggest how to debug this in order to resolve it faster.
In a nutshell, my setup consists of 2 interfaces = wlan0 (WiFi AP) and tun0 (VPN tunnel).
My goal is to provide full VPN access to one of the WiFi clients, while additionally forwarding all traffic coming from a specific IP in the VPN to the same client as well.
In my test case the WiFi client address is 192.168.100.50 and the VPN address in question is 172.28.26.36.
I am adding the following IPTABLES rules in order to do that:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward;
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE;
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -i tun0 -o wlan0;
iptables -A FORWARD -j ACCEPT -o tun0 -i wlan0; iptables -t nat -A PREROUTING -s 192.168.100.50 -j DNAT --to-destination 172.28.26.36;
This was working perfectly fine before upgrading to Android 4.4.
When I check the IPTABLES stats I can see that my rules are no longer matching any of the packets.
Monitoring the traffic with TCPDUMP shows that the packets are received and have the correct parameters, so it seems like they are not handled properly by the kernel.
I have downloaded the Android kernel source code, but a lot of things have changed between 4.3 and 4.4, so it won't be easy to find the cause there without strong networking knowledge (which I don't have). The main thing is that Google added UNIX-like multi user support to the OS, which required all of the previously used routing rule setting mechanics to be changed.
As I said, I am quite new to Linux networking, so any help and suggestions will be greatly appreciated.
I am not relying on Google to solve this, as this bug has been out there since last December and apparently the impact is not big enough for them to prioritize (or even acknowledge) it.
However, this is a major setback and a show stopper for my product.
Thanks!
Last edited by Scott; 11-08-2014 at 05:47 AM..
Reason: Please use code tags
good day good people
hi
first to tell that firewall and vpn is working as expected, but I notice something strange.
I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn.
I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). ... (0 Replies)
Hi guys
I'm running on debian on a small embedded system. I have a ppp interface that is connected to the internet (and works). My unit also has wifi access point (which works and I can connect to it).
I want to allow connections to the wifi to be able to use the internet from ppp0... (1 Reply)
Hi all,
I have a following situation:
- I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
--dport 1500 -j DNAT --to-destination 192.168.10.20:2000
... (3 Replies)
Hi, I am learning IPTables have this question.
My server is behind a firewall that does a PAT & NAT to the LAN address.
Internet IP: 68.1.1.23
Port: 10022
Server LAN IP: 10.1.1.23
port: 22
Allowed Internet IPs: 131.1.1.23, 132.1.1.23
I want to allow a set of IPs are to be able to... (1 Reply)
Hello, please can you help and explain me.
I have two servers. Both are RHEL6.
I use the first one like router and the second one for apache.
Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Good morning,
I'm a newbie of iptables and as far as I've seen on tutorials on the Internet it seems that both prerouting and postrouting NAT chains are undergone both by a packet that goes from an internal LAN to the Internet and of a one that goes in the opposite direction (from the Internet to... (0 Replies)
I've been going crazy trying to get this working. Here's the situation: we have a Solaris 10 box that connects an internal network to an external network. We're using ipf/ipnat on it. We've added a couple of new boxes to the internal network (192.168.1.100, .101) and want to be able to get to port... (1 Reply)
Hi all,
I decided to replace my linux router/firewall with Solaris 11 express. This is a pppoe connection directly to my server...no router boxes. I got everything setup, but the performance is terrible on the NAT....really slow. A web page that loads on the server instantly will take... (3 Replies)
Hello Guys,
I have a debian machine that work as a firewall (iptables + squid 2.6) with two physical interfaces: eth0 (public interface) and eth1 (internal interface LAN). I have created an alias eth1:1 in order to have two subnets on same physical interface:
cat/etc/network/interfaces
auto... (0 Replies)
11-08-2014
Debugging NAT / prerouting issues (iptables)