Ubuntu – UFW BLOCK syslog – tcp/ip is blocked and this is allowed in UFW – GPS TRACKING/TCP/UDP report server

14.04iptablesnetworkingsyslogufw

Well I'm new in this things, I have been searching a solution for my problem, reset, and do it again, specify port and protocol, port in and out with a protocol, but i can't.


Information

problem: Firewall block some, not all, but some ips that are incoming in port that I config to allow incoming tcp and udp, i saw errors in syslog with tag [UFW BLOCK] SPT=45000 DPT=1563

What I want: only open ports ssh,http and range from 1500 to 1600 tcp and udp…


How I configured it

My commands to config firewall to allow incoming and outgoing connections

ufw allow 22
ufw allow 80
ufw allow 1500:1600/tcp
ufw allow 1500:1600/udp

Status of firewall with ufw

root@u19312139:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
1500:1600/tcp            ALLOW       Anywhere
1500:1600/udp            ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
1500:1600/tcp (v6)       ALLOW       Anywhere (v6)
1500:1600/udp (v6)       ALLOW       Anywhere (v6)

syslog log

note: command to see in real time syslog only lines that have "UFW"

tail -f /var/log/syslog | grep "UFW"

My output

[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52308 DF PROTO=TCP SPT=52572 DPT=1557 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52309 DF PROTO=TCP SPT=52572 DPT=1557 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=12518 DF PROTO=TCP SPT=62545 DPT=80 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52310 DF PROTO=TCP SPT=52572 DPT=1557 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=12519 DF PROTO=TCP SPT=62545 DPT=80 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52311 DF PROTO=TCP SPT=52572 DPT=1557 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=12520 DF PROTO=TCP SPT=62545 DPT=80 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=52312 DF PROTO=TCP SPT=52572 DPT=1557 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=187.237.167.x DST=xx:xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=2280 DF PROTO=TCP SPT=42542 DPT=1563 WINDOW=10880 RES=0x00 ACK URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=189.173.30.x DST=xx:xx:xx:xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=12521 DF PROTO=TCP SPT=62545 DPT=80 WINDOW=1445 RES=0x00 ACK FIN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=187.210.142.x DST=xx:xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=6018 PROTO=TCP SPT=48744 DPT=1563 WINDOW=8160 RES=0x00 ACK URGP=0

Notes:

  • SPT= is source port?.
  • DPT is the port, right?, but It is 15xx range, and I put in firewall allow 1500 to 1600.
  • What can I do for fix this problems, I think i'm doing It right, but the [UFW BLOCK] show that ufw block connection from some ips…

Best Answer

Looking at your rules and comparing them to your log brings up a few questions. It looks like you are trying to control all traffic to and from your interface. The problem here is that if you compare the blocked packet to your firewall list you have to find the rule that the packet matches. All of you blocked packets have destination ports that are on your list but source ports that are not. If my computer initiates communication with a standard http web server on your computer then my destination is port 80 and my source is some random number probably in the 50,000+ range. Let's just say mine is 62545. When your web server tries to reply to me it needs to be allowed to go out of you interface on port 80 destined for my 62545. Where on your allow out list is it permitted to have a packet to 62545? If there's no match then the packet will be blocked. If you look at the 2nd to last log entry displayed that is exactly the scenario I just explained. Nowhere on you list does it allow for a packet to go to 62545.

This leaves two things to consider. One, the firewall is stateful meaning if you initiate communication from your interface out to a destination port, say 80, the return packet will be allowed. The same packet could not enter your interface from the outside if not first initiated from the inside. I think you may be trying to control too much of your outbound traffic. That is unless, the second thing, you are controlling routing between interfaces. If that is the case the then the rule setup requires more information in your syntax (type: 'man ufw' from the command line for details). I typically enter detailed rules as I showed previously but only on the incoming side because I am not routing between interfaces. The detailed rule makes it easier to re-evalute the rules later if questions arise regarding the UFW configuration.Try dropping you allow out rules if you are not routing and see if the problem is resolved. I could be wrong but that is the way I interpret the UFW and the way I use it successfully. Good luck. hope this helps.

Related Question