I have 2 servers running Ubuntu 16.04.
Server 1 has ip 10.100.100.101 and server 2 has ip 10.100.100.102.
Server 1 has Ufw enabled and should accept all traffic to port 8080 from server 2. (Server 2 has Apache that proxies traffic to Server 1.) For some reason Ufw sometimes blocks packages going to port 8080. Version of Ufw is 0.35.
I have tried resetting Ufw settings and rebooting servers but that made no difference.
Apache logs on server 2 don't show errors matching time of blocked requests.
What could be causing these packages to get dropped?
Server configuration:
Web page (Server 2 Apache) -> Ruby http application (Server 1)
Server 1 Ufw settings:
user@server1:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
80/tcp DENY IN Anywhere
80/tcp (v6) DENY IN Anywhere (v6)
So only traffic to port 80 should be blocked. But is see following messages in Ufw log:
2021-01-11 23:13:00 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38424 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:00 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53629 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:00 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38425 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:01 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53630 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:01 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38426 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:02 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53631 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:02 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38427 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:03 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53632 DF PROTO=TCP SPT=33084 DPT=8080 WINDOW=2160 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:03 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38428 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:06 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38429 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:26 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38431 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
2021-01-11 23:13:52 server1 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:..08:00 SRC=10.100.100.102 DST=10.100.100.101 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=38432 DF PROTO=TCP SPT=33158 DPT=8080 WINDOW=1157 RES=0x00 ACK FIN URGP=0
Active Iptables rules:
Chain INPUT (policy ACCEPT 4 packets, 144 bytes)
num pkts bytes target prot opt in out source destination
1 6082K 99G ufw-before-logging-input all -- any any anywhere anywhere
2 6082K 99G ufw-before-input all -- any any anywhere anywhere
3 14402 875K ufw-after-input all -- any any anywhere anywhere
4 13502 805K ufw-after-logging-input all -- any any anywhere anywhere
5 13502 805K ufw-reject-input all -- any any anywhere anywhere
6 13502 805K ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ufw-before-logging-forward all -- any any anywhere anywhere
2 0 0 ufw-before-forward all -- any any anywhere anywhere
3 0 0 ufw-after-forward all -- any any anywhere anywhere
4 0 0 ufw-after-logging-forward all -- any any anywhere anywhere
5 0 0 ufw-reject-forward all -- any any anywhere anywhere
6 0 0 ufw-track-forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5789K 101G ufw-before-logging-output all -- any any anywhere anywhere
2 5789K 101G ufw-before-output all -- any any anywhere anywhere
3 339K 21M ufw-after-output all -- any any anywhere anywhere
4 339K 21M ufw-after-logging-output all -- any any anywhere anywhere
5 339K 21M ufw-reject-output all -- any any anywhere anywhere
6 339K 21M ufw-track-output all -- any any anywhere anywhere
Chain ufw-after-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 900 70416 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-ns
2 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:netbios-dgm
3 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
4 0 0 ufw-skip-to-policy-input tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
5 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootps
6 0 0 ufw-skip-to-policy-input udp -- any any anywhere anywhere udp dpt:bootpc
7 0 0 ufw-skip-to-policy-input all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
3 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
4 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
5 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
7 0 0 ufw-user-forward all -- any any anywhere anywhere
Chain ufw-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 4656K 99G ACCEPT all -- lo any anywhere anywhere
2 1345K 323M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
3 66677 3467K ufw-logging-deny all -- any any anywhere anywhere ctstate INVALID
4 66677 3467K DROP all -- any any anywhere anywhere ctstate INVALID
5 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
7 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
8 0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
9 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
10 0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
11 14402 875K ufw-not-local all -- any any anywhere anywhere
12 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
13 0 0 ACCEPT udp -- any any anywhere 239.255.255.250 udp dpt:1900
14 14402 875K ufw-user-input all -- any any anywhere anywhere
Chain ufw-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 4656K 99G ACCEPT all -- any lo anywhere anywhere
2 794K 2513M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
3 339K 21M ufw-user-output all -- any any anywhere anywhere
Chain ufw-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num pkts bytes target prot opt in out source destination
1 40662 2114K RETURN all -- any any anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
2 19126 995K LOG all -- any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num pkts bytes target prot opt in out source destination
1 13498 805K RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
2 4 144 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
3 900 70416 RETURN all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
4 0 0 ufw-logging-deny all -- any any anywhere anywhere limit: avg 3/min burst 10
5 0 0 DROP all -- any any anywhere anywhere
Chain ufw-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- any any anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
num pkts bytes target prot opt in out source destination
1 900 70416 ACCEPT all -- any any anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-track-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
num pkts bytes target prot opt in out source destination
1 13498 805K ACCEPT tcp -- any any anywhere anywhere ctstate NEW
2 0 0 ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 113K 6771K ACCEPT tcp -- any any anywhere anywhere ctstate NEW
2 226K 14M ACCEPT udp -- any any anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:80
Chain ufw-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere
Chain ufw-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
num pkts bytes target prot opt in out source destination
Apache proxy config on server 2:
<Location /app>
ProxyPass http://10.100.100.101:8080/app retry=3
ProxyPassReverse http://10.100.100.101:8080/app
Require all granted
</Location>
