1

Target:

Perform IP forwarding for devices within the same local network. (The real target is transparent proxy but the IP forwarding is a prerequisite)

Network setup:

All devices are in the same local network 192.168.0.0/16.

  • main router 192.168.1.1
  • Android phone 192.168.2.1 (network interface wlan0)
  • computer 192.168.2.10 gateway set as 192.168.2.1
  • others like Raspberry Pi at 192.168.1.11

Android setup:

  • Data disabled, only WiFi connects.
  • rooted Android 10 (Pixel 2 XL)
  • enabled ip forwarding by sysctl -w net.ipv4.ip_forward=1
  • netfilter: on all tables of nat, mangle, filter and raw, run iptables -F -t <table_name> and iptables -X -t <table_name>
  • rp_filter: Disable by sysctl -w net.ipv4.conf.all.rp_filter=0 and sysctl -w net.ipv4.conf.wlan0.rp_filter=0

Result:

  • the computer cannot access to the Internet, ping, dig, browser, nothing works.
  • the computer connects to local devices without any problem (like ping router 192.168.1.1, SSH to the Raspberry Pi, or use FireFox through the SOCK5 proxy hosted on the Pi).
  • Android phone connects to the Internet perfectly.

Debug:

  • using iptables -t <table_name> -L -v to show packet count, all chains have some packets, *except the FORWARD chain of both raw, mangle tables shows Chain FORWARD (policy ACCEPT 0 packets, 0 bytes). After some googling, rp_filter is the suspect but I'm sure it's turned off.
Myles
  • 111
  • 1

1 Answers1

0

Thanks to @Irfan Latif, I found the solution myself. It's right that packets are sent to the last unreachable rule of ip rule, because they fail to match any previous rules:

# result of `ip rule`
... (no rules match)
22000:  from all fwmark 0x0/0xffff iif lo lookup wlan0 
32000:  from all unreachable

So I added a rule to route incoming traffic from local network to route table wlan0 by:
ip rule add from 192.168.0.0/16 iif wlan0 table wlan0

Myles
  • 111
  • 1