I have the exact same problem with stock rom and every custom rom based on Android 4.4. Looks like Google AGAIN changed something in a way that breaks security relevant applications. My first beef with Android started when I learned that they changed something that effectively breaks all apps that enforced custom DNS rules. But I get off the point...
Right now I reverted back to 4.3 because I just had it with Google breaking my security concepts. I know this is not the ultimate solution because I miss out on security patches but the whole thing is a giant dilemma and thus I had to make some decision. I'm sorry that I did not bring up this matter myself. This was selfish of me.
Problem is: I don't know any manual way to enforce iptables rules in the way AFWall+ did. AFAIK iptables only know IP-adresses, ports and network devices (like TUN / TAP / ETH / WIFI). So to my knowledge there is no way to create application specific iptable rules. Don't ask me how AFWall+ did that. Maybe it has something to do with busybox, maybe I just don't know enough about iptables.
My suggestion would be to revert to 4.3 for the time being and hope that they find a way to make AFWall+ work like it had before. But don't get your hopes up too much. The DNS problem for example seems to stay for good and I have a bad feeling about these firewall issues.
Other than that I strongly support he request for any still working alternatives that might exist.
home is where the artillery hits