I am still plagued with rogue traffic coming from OVH network but that is a different story. Trying to get OVH to acknowledge it is futile. This is occuring only a few weeks after a large-scale Bitcoin hack on servers hosted by them.
Never mind - see the log you were sent - suggests to me that its apache/ngingx that generated that traffic.
Did you look at the sites on your server? Are there any suspicious files on there, any recently changed files? Any spurious activity to/from your server?
Perhaps a "tcpdump port 80" or similar might reveal something.
On the firewall side, maybe if its relevant to you consider outgoing traffic rulesets as well as incoming. Checkout http://www.fwbuilder.org/
for a wonderful GUI tool for implementing firewall rulesets.