I have a very permissive firewall configuration, where I have almost all ports open:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW IN 127.0.0.1
Anywhere ALLOW IN 10.0.0.0/16
53 DENY IN Anywhere
27017 DENY IN Anywhere
5335 DENY IN Anywhere
I don't understand then why I'm seeing these UFW BLOCK entries in my log:
Apr 16 21:28:04 hostname kernel: [20920.490239] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=60369 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:09 hostname kernel: [20925.495136] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=45545 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:11 hostname kernel: [20927.479072] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=58433 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:12 hostname kernel: [20928.481887] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=44041 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:12 hostname kernel: [20928.489277] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=55645 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:13 hostname kernel: [20929.493087] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=50245 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
Apr 16 21:28:13 hostname kernel: [20929.493358] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx SRC=MY_PUBLIC_IP DST=10.0.0.40 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=56409 DPT=58946 WINDOW=0 RES=0x00 RST URGP=0
They all have my public IP as the source and my private IP as the destination. The destination port is always 58946 (deluged). Even if I explicitly allow this port (which shouldn't be needed), I still get these entries in the log.
Any idea why this is happening and what it means?
EDIT:
Adding full iptables rules:
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N monitorix_IN_0
-N monitorix_IN_1
-N monitorix_IN_2
-N monitorix_IN_3
-N monitorix_OUT_0
-N monitorix_OUT_1
-N monitorix_OUT_2
-N monitorix_OUT_3
-N ts-forward
-N ts-input
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ts-input
-A INPUT -p tcp -m tcp --sport 32400 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_3
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 32400 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_3
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_2
-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_2
-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_1
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_1
-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_OUT_0
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_0
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-b1f439913694 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b1f439913694 -j DOCKER
-A FORWARD -i br-b1f439913694 ! -o br-b1f439913694 -j ACCEPT
-A FORWARD -i br-b1f439913694 -o br-b1f439913694 -j ACCEPT
-A FORWARD -o br-8c2ef18e8cce -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-8c2ef18e8cce -j DOCKER
-A FORWARD -i br-8c2ef18e8cce ! -o br-8c2ef18e8cce -j ACCEPT
-A FORWARD -i br-8c2ef18e8cce -o br-8c2ef18e8cce -j ACCEPT
-A FORWARD -o br-13f24cfcf7be -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-13f24cfcf7be -j DOCKER
-A FORWARD -i br-13f24cfcf7be ! -o br-13f24cfcf7be -j ACCEPT
-A FORWARD -i br-13f24cfcf7be -o br-13f24cfcf7be -j ACCEPT
-A FORWARD -o br-cd92e6b2b4c4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-cd92e6b2b4c4 -j DOCKER
-A FORWARD -i br-cd92e6b2b4c4 ! -o br-cd92e6b2b4c4 -j ACCEPT
-A FORWARD -i br-cd92e6b2b4c4 -o br-cd92e6b2b4c4 -j ACCEPT
-A FORWARD -j ts-forward
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 32400 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_3
-A OUTPUT -p tcp -m tcp --sport 32400 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_3
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_2
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_2
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_1
-A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_1
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_OUT_0
-A OUTPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_0
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 58946 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 58846 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8112 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8181 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-13f24cfcf7be -o br-13f24cfcf7be -p tcp -m tcp --dport 8081 -j ACCEPT
-A DOCKER -d 172.20.0.4/32 ! -i br-13f24cfcf7be -o br-13f24cfcf7be -p tcp -m tcp --dport 7777 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b1f439913694 ! -o br-b1f439913694 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-8c2ef18e8cce ! -o br-8c2ef18e8cce -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-13f24cfcf7be ! -o br-13f24cfcf7be -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-cd92e6b2b4c4 ! -o br-cd92e6b2b4c4 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b1f439913694 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-8c2ef18e8cce -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-13f24cfcf7be -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-cd92e6b2b4c4 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.106.250.67/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j ACCEPT
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -s 127.0.0.1/32 -j ACCEPT
-A ufw-user-input -s 10.0.0.0/16 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 53 -j DROP
-A ufw-user-input -p udp -m udp --dport 53 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 27017 -j DROP
-A ufw-user-input -p udp -m udp --dport 27017 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 5335 -j DROP
-A ufw-user-input -p udp -m udp --dport 5335 -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT