Symptom:

 

Recently I noticed there are a lot of logs related to the firewall action, which is blocking TCP packtes with ACK, FIN, or RST flags been set.

 

Confluence
Confluence kernel: [836798.488524] [UFW BLOCK] IN=eth0 OUT= MAC=00:15:5d:0a:ef:06:00:15:5d:0a:ef:09:08:00 SRC=192.168.10.194 DST=192.168.10.103 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53356 DF PROTO=TCP SPT=55362 DPT=80 WINDOW=262 RES=0x00 ACK FIN URGP=0
Confluence
Confluence kernel: [836797.671222] [UFW BLOCK] IN=eth0 OUT= MAC=00:15:5d:0a:ef:06:00:15:5d:0a:ef:09:08:00 SRC=192.168.10.194 DST=192.168.10.103 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53355 DF PROTO=TCP SPT=55362 DPT=80 WINDOW=262 RES=0x00 ACK FIN URGP=0
Confluence
Confluence kernel: [836385.439944] [UFW BLOCK] IN=eth0 OUT= MAC=00:15:5d:0a:ef:06:00:15:5d:0a:ef:03:08:00 SRC=192.168.10.110 DST=192.168.10.103 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64384 DF PROTO=TCP SPT=56586 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
Confluence
Confluence kernel: [836364.963264] [UFW BLOCK] IN=eth0 OUT= MAC=00:15:5d:0a:ef:06:00:15:5d:0a:ef:09:08:00 SRC=192.168.10.194 DST=192.168.10.103 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=9500 DF PROTO=TCP SPT=55302 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
Confluence
Confluence kernel: [836365.807993] [UFW BLOCK] IN=eth0 OUT= MAC=00:15:5d:0a:ef:06:00:15:5d:0a:ef:03:08:00 SRC=192.168.10.110 DST=192.168.10.103 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=64382 DF PROTO=TCP SPT=56586 DPT=80 WINDOW=245 RES=0x00 ACK FIN URGP=0
Confluence
Confluence kernel: [836122.534158] [UFW BLOCK] IN=eth0 OUT= MAC=00:15:5d:0a:ef:06:00:15:5d:0a:ef:09:08:00 SRC=192.168.10.194 DST=192.168.10.103 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=52748 DF PROTO=TCP SPT=80 DPT=49434 WINDOW=0 RES=0x00 RST URGP=0

This basically tell us the packet received on interface eth0, which with source address 192.168.10.194, destination address 192.168.10.103, Protocol tcp, Destination port 80, has been blocked.

So we need to tell the iptables to accept these packets:

Solution:
administrator@Confluence:~$ sudo iptables -I ufw-before-input -s 192.168.10.110 -d 192.168.10.103 -p tcp --dport 80 -j ACCEPT
administrator@Confluence:~$ sudo iptables -I ufw-before-input -s 192.168.10.194 -d 192.168.10.103 -p tcp --dport 80 -j ACCEPT

Note that these entries will be deleted after a reboot, to make them persistent.

You may want to use the iptables-persistent package rather than mess with your boot scripts. First, run your script to set up the firewall rules. Secondly, run sudo apt-get install iptables-persistent, and follow the prompts. When it asks to save the current rules, hit “Yes” at both prompts. Now, on reboots, your iptables rules will be restored.


NOTE: If you change your rules after this, you will need to do the following command(s) after the changes:

To save your IPv4 iptables rules: sudo su -c 'iptables-save > /etc/iptables/rules.v4'

To save your IPv6 ip6tables rules: sudo su -c 'ip6tables-save > /etc/iptables/rules.v6'

Reference

https://ubuntuforums.org/showthread.php?t=1564141