iptables forwarding not working

I’m trying to set up an ASUS TinkerBoard (a RaspberryPi derivative) as a wireless bridge.
I have two interfaces, wlan0 and wlx000e3, corresponding to two wi-fi adapters.
The interface wlx000e3 is connected to a router that provides internet access.
The interface wlan0 functions as a personal access point.

I’ve installed and configured hostapd and isc-dhcp-server, and tried to set up iptables following the various howto guides in the internet (starting with https://wiki.archlinux.org/index.php/Internet_sharing#Configuration, then trying a few different variations when that didn’t work.) I am able to connect from a client PC to the board, and from the board to the internet. But I can’t get the board to actually forward anything.

IPv4 forwarding is enabled: /proc/sys/net/ipv4/ip_forward is 1.
iptables got set up without any errors:

# iptables -L -v -n -t nat
...
Chain POSTROUTING (policy ACCEPT 15 packets, 986 bytes)
 pkts bytes target prot opt in out source
 14 945 MASQUERADE all -- * wlx000e3 0.0.0.0/0 0.0.0.0/0

# iptables -L -v -n
Chain Input (policy ACCEPT 1547 packets, 114K bytes)
 pkts bytes target prot opt in out source

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
 0 0 ACCEPT all -- wlan0 wlx000e3 0.0.0.0/0 0.0.0.0/0
 0 0 ACCEPT all -- wlx000e3 wlan0 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED

Chain OUTPUT (policy ACCEPT 1074 packets, 195K bytes)
 pkts bytes target prot opt in out source

But it’s still not working. There are no errors and even no warnings in the journal or in dmesg. I see that no packets even hit the FORWARD chain, where most of my rules are.

Any ideas?

One thing that might be relevant is that it is a relatively old kernel (4.4.103+) and it has virtually no modules included (I’d really like to avoid building it by hand, unless I have to). It should have the essentials for NAT support built in though (and I’d expect some errors if NAT support weren’t there at all). But I can’t e.g. enable packet tracing, since I don’t have the kernel module nf_log_ipv4.

P.S. What I can do is add LOG targets to iptables. So, I’ve verified that the packets from the client which I’m trying to forward do show up in the ‘nat’ table, PREROUTING chain. But they somehow don’t make it into the FORWARD chain. This suggested to me that maybe I have a problem with routing, but I don’t see anything wrong there:

#ip route
default via 192.168.1.254 dev wlx000e3 src 192.168.1.78 metric 302
169.254.238.0/24 dev wlan0 proto kernel scope link src 169.254.238.1
192.168.1.0/24 dev wlx000e3 proto kernel scope link src 192.168.1.78 metric 302

Here, the client is 169.254.238.4, the wlan0 interface of the board is 169.254.238.1, the upstream router is 192.168.1.254.