Suricata iptables problem with repeat mode

Hi,

We have a debian iptables masquerading router setup, serving 2 PC, one connected via ethernet, other via wifi using hostapd.

Suricata version: 6.0.10 / Debian 11 / Installed via apt
Suricata is configured with “repeat” mode.
*** Suricata NFQ configuration ***
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1

Suricata NFQUEUE rule is at the top of FORWARD chain. We try to allow only specified mac addresses to access the internet.
Chain FORWARD
-A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
-A FORWARD -j FORWARD_BOND
-A FORWARD -j FORWARD_DEVICE
-A FORWARD -j FORWARD_DROP
-A FORWARD_BOND -i enp1s0 -j ACCEPT
-A FORWARD_DEVICE -j LOG --log-prefix "[FORWARD RULE] "
-A FORWARD_DEVICE -m mac --mac-source 00:d8:61:09:b1:1f -j ACCEPT # Ethernet
-A FORWARD_DEVICE -m mac --mac-source da:8d:be:65:ea:94 -j ACCEPT # Wifi
-A FORWARD_DROP -j DROP

PC with Wifi interface accessing internet without any issue, but PC with Ethernet interface do not.

“-A FORWARD_DEVICE -m mac --mac-source 00:d8:61:09:b1:1f -j ACCEPT # Ethernet”
This rule do not get hit when Suricata is configured with “repeat” mode, hence packets dropped by the next rule. But Wifi interface gets the hit and runs without any issue.

Iptables log rule output is below.
*** iptables logs [FORWARD RULE] ***

• Wireless *
  Oct 28 09:20:43 ksg kernel: [24858.502726] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC=46:21:0b:48:f3:7a:da:8d:be:65:ea:94:08:00 SRC=10.5.5.3 DST=188.41.242.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36185 DF PROTO=TCP SPT=42412 DPT=853 WINDOW=134 RES=0x00 ACK URGP=0 MARK=0x1
  Oct 28 09:20:43 ksg kernel: [24858.502828] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC=46:21:0b:48:f3:7a:da:8d:be:65:ea:94:08:00 SRC=10.5.5.3 DST=188.41.242.25 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=36186 DF PROTO=TCP SPT=42412 DPT=853 WINDOW=134 RES=0x00 ACK PSH URGP=0 MARK=0x1
  Oct 28 09:20:43 ksg kernel: [24858.503074] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC=46:21:0b:48:f3:7a:da:8d:be:65:ea:94:08:00 SRC=10.5.5.3 DST=188.41.242.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36187 DF PROTO=TCP SPT=42412 DPT=853 WINDOW=134 RES=0x00 ACK FIN URGP=0 MARK=0x1
  Oct 28 09:20:43 ksg kernel: [24858.523877] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC=46:21:0b:48:f3:7a:da:8d:be:65:ea:94:08:00 SRC=10.5.5.3 DST=188.41.242.25 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=42412 DPT=853 WINDOW=134 RES=0x00 ACK URGP=0 MARK=0x1

• Ethernet *
  Oct 28 08:24:03 ksg kernel: [21458.356239] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC= SRC=10.5.5.2 DST=52.92.34.138 LEN=1472 TOS=0x00 PREC=0x00 TTL=127 ID=5803 DF PROTO=TCP SPT=55579 DPT=443 WINDOW=1026 RES=0x00 ACK URGP=0 MARK=0x1
  Oct 28 08:24:03 ksg kernel: [21458.356304] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC= SRC=10.5.5.2 DST=52.92.34.138 LEN=1472 TOS=0x00 PREC=0x00 TTL=127 ID=5804 DF PROTO=TCP SPT=55579 DPT=443 WINDOW=1026 RES=0x00 ACK URGP=0 MARK=0x1
  Oct 28 08:24:03 ksg kernel: [21458.356358] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC= SRC=10.5.5.2 DST=52.92.34.138 LEN=1472 TOS=0x00 PREC=0x00 TTL=127 ID=5805 DF PROTO=TCP SPT=55579 DPT=443 WINDOW=1026 RES=0x00 ACK URGP=0 MARK=0x1
  Oct 28 08:24:03 ksg kernel: [21458.356409] [FORWARD RULE] IN=br0 OUT=enp1s0 MAC= SRC=10.5.5.2 DST=52.92.34.138 LEN=1472 TOS=0x00 PREC=0x00 TTL=127 ID=5806 DF PROTO=TCP SPT=55579 DPT=443 WINDOW=1026 RES=0x00 ACK URGP=0 MARK=0x1

Here as you can see, MAC information(MAC= SRC=10.5.5.2) is lost with ethernet interface. But Wifi interface(MAC=46:21:0b:48:f3:7a:da:8d:be:65:ea:94:08:00 SRC=10.5.5.3) has no issue.

We run SpeedTest, and while download speed is normal, upload speed drops from 70 mbit to 0.6 mbit with ethernet interface.

Any suggestions? Is there a problem with our setup, or something wrong with suricata?

*** Setup information ***

*** iptables -vnL ***
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127 8178 NFQUEUE all – * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x1/0x1 NFQUEUE num 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1410K 1264M NFQUEUE all – * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x1/0x1 NFQUEUE num 0
4504K 3971M FORWARD_BOND all – * * 0.0.0.0/0 0.0.0.0/0
1992K 664M FORWARD_DEVICE all – * * 0.0.0.0/0 0.0.0.0/0
169K 164M FORWARD_DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
47 5928 NFQUEUE all – * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x1/0x1 NFQUEUE num 0

Chain FORWARD_BOND (1 references)
pkts bytes target prot opt in out source destination
2512K 3307M ACCEPT all – enp1s0 * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD_DEVICE (1 references)
pkts bytes target prot opt in out source destination
286K 76M LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "[FORWARD RULE] "
1099K 120M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 MAC00:d8:61:09:b1:1f
161K 85M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 MACda:8d:be:65:ea:94

Chain FORWARD_DROP (1 references)
pkts bytes target prot opt in out source destination
26205 38M DROP all – * * 0.0.0.0/0 0.0.0.0/0

*** iptables -vnL -t nat ***
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3544 698K MASQUERADE all – * enp1s0 0.0.0.0/0 0.0.0.0/0

*** iptables-save ***
#Generated by iptables-save v1.8.7 on Mon Oct 28 09:03:51 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_BOND - [0:0]
:FORWARD_DEVICE - [0:0]
:FORWARD_DROP - [0:0]
-A INPUT -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
-A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
-A FORWARD -j FORWARD_BOND
-A FORWARD -j FORWARD_DEVICE
-A FORWARD -j FORWARD_DROP
-A OUTPUT -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
-A FORWARD_BOND -i enp1s0 -j ACCEPT
-A FORWARD_DEVICE -j LOG --log-prefix "[FORWARD RULE] "
-A FORWARD_DEVICE -m mac --mac-source 00:d8:61:09:b1:1f -j ACCEPT # Ethernet
-A FORWARD_DEVICE -m mac --mac-source da:8d:be:65:ea:94 -j ACCEPT # Wifi
-A FORWARD_DROP -j DROP
COMMIT
#Completed on Mon Oct 28 09:03:51 2024
#Generated by iptables-save v1.8.7 on Mon Oct 28 09:03:51 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp1s0 -j MASQUERADE
COMMIT
#Completed on Mon Oct 28 09:03:51 2024

*** Network interfaces - lshw ***
*-network:0
description: Wireless interface
physical id: 1
bus info: usb@1:7
logical name: wlx74f06d5609c8
serial: 74:f0:6d:56:09:c8
capabilities: ethernet physical wireless
configuration: broadcast=yes driver=rt2800usb driverversion=5.10.0-33-amd64 firmware=0.36 link=yes multicast=yes wireless=IEEE 802.11
*-network
description: Ethernet interface
product: Ethernet Controller I225-V
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:01:00.0
logical name: enp1s0
version: 03
serial: 00:e2:69:5c:1f:73
size: 100Mbit/s
capacity: 1Gbit/s
width: 32 bits
clock: 33MHz
capabilities: bus_master cap_list rom ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=igc driverversion=5.10.0-33-amd64 duplex=full ip=192.168.4.7 latency=0 link=yes multicast=yes port=twisted pair speed=100Mbit/s
resources: irq:22 memory:a1b00000-a1bfffff memory:a1c00000-a1c03fff memory:a1a00000-a1afffff

You are using Suricata 6.0.10 which is EOL, please upgrade first to Suricata 7.0 and test your setup again.

I tried to same setup on Debian 12.5 and Suricata version was 7.0.7. The result didn’t change…