I have a problem with a user who is unable to access a Ubuntu 22.04 webserver (he gets ERR_CONNECTION_RESET), apparently due to the firewall blocking his connections. However he IS able to access a different server on the same network, which has practically the same firewall configuration.
We have no other reports of a similar problem. Fail2ban is not installed. No IP specific rules are configured.
Does anyone have any suggestions as to where I should look next?
This is an example block from the ufw log:
Aug 22 12:38:45 docs kernel: [4546186.725262] [UFW BLOCK] IN=eth0 OUT= MAC=52:54:00:5c:a4:04:02:00:00:00:00:01:86:dd SRC=2a01:cb06:b871:e0e0:0000:0010:1e4a:c601 DST=2a00:1098:00a4:0000:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=48 FLOWLBL=0 PROTO=TCP SPT=49424 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0
On the server he can't access, ufw is configured like this:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
The server he can access is almost identical:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 LIMIT IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22 (v6) LIMIT IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
Here is the output from ip6tables on the problem server, in case it helps:
Chain INPUT (policy DROP 3781 packets, 243K bytes)
num pkts bytes target prot opt in out source destination
1 817K 752M ufw6-before-logging-input all * * ::/0 ::/0
2 817K 752M ufw6-before-input all * * ::/0 ::/0
3 3815 245K ufw6-after-input all * * ::/0 ::/0
4 3781 243K ufw6-after-logging-input all * * ::/0 ::/0
5 3781 243K ufw6-reject-input all * * ::/0 ::/0
6 3781 243K ufw6-track-input all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ufw6-before-logging-forward all * * ::/0 ::/0
2 0 0 ufw6-before-forward all * * ::/0 ::/0
3 0 0 ufw6-after-forward all * * ::/0 ::/0
4 0 0 ufw6-after-logging-forward all * * ::/0 ::/0
5 0 0 ufw6-reject-forward all * * ::/0 ::/0
6 0 0 ufw6-track-forward all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 48140 8890K ufw6-before-logging-output all * * ::/0 ::/0
2 48140 8890K ufw6-before-output all * * ::/0 ::/0
3 5920 553K ufw6-after-output all * * ::/0 ::/0
4 5920 553K ufw6-after-logging-output all * * ::/0 ::/0
5 5920 553K ufw6-reject-output all * * ::/0 ::/0
6 5920 553K ufw6-track-output all * * ::/0 ::/0
Chain ufw6-after-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:137
2 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:138
3 17 1088 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:139
4 17 1088 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:445
5 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:546
6 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:547
Chain ufw6-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
1 60 4000 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-after-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::/0 ::/0 rt type:0
2 0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
4 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
5 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
6 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
9 0 0 ufw6-user-forward all * * ::/0 ::/0
Chain ufw6-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all lo * ::/0 ::/0
2 0 0 DROP all * * ::/0 ::/0 rt type:0
3 95480 712M ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
4 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
5 106 6468 ufw6-logging-deny all * * ::/0 ::/0 ctstate INVALID
6 106 6468 DROP all * * ::/0 ::/0 ctstate INVALID
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
9 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
10 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
11 11 620 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
12 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
13 706K 40M ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
14 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
15 4338 278K ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
16 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
17 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
18 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
19 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
20 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
21 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
22 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
23 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
24 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
25 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
26 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
27 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 144
28 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 145
29 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 146
30 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 147
31 0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546
32 0 0 ACCEPT udp * * ::/0 ff02::fb udp dpt:5353
33 0 0 ACCEPT udp * * ::/0 ff02::f udp dpt:1900
34 10411 723K ufw6-user-input all * * ::/0 ::/0
Chain ufw6-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all * lo ::/0 ::/0
2 0 0 DROP all * * ::/0 ::/0 rt type:0
3 37882 8025K ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
4 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
5 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
6 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
9 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
10 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
11 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
12 4338 312K ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
13 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
14 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
15 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
16 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
17 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
18 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
19 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
20 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
21 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
22 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
23 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
24 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
25 5920 553K ufw6-user-output all * * ::/0 ::/0
Chain ufw6-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw6-logging-deny (1 references)
num pkts bytes target prot opt in out source destination
1 35 2100 RETURN all * * ::/0 ::/0 ctstate INVALID limit: avg 3/min burst 10
2 5 300 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-reject-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-reject-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-input (6 references)
num pkts bytes target prot opt in out source destination
1 34 2176 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all * * ::/0 ::/0
Chain ufw6-track-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-track-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 563 45040 ACCEPT tcp * * ::/0 ::/0 ctstate NEW
2 5357 507K ACCEPT udp * * ::/0 ::/0 ctstate NEW
Chain ufw6-user-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
2 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
3 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:80
4 146 10840 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
5 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:443
Chain ufw6-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all * * ::/0 ::/0
Chain ufw6-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-input (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-output (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-output (1 references)
num pkts bytes target prot opt in out source destination
