SOLVED - IPTables INPUT DROP and Port Opening

Question

I'm hosting a Mail Server (PostFix, PostFix Admin, Dovecot), a Minecraft Server and a Discord bot, I'm trying to create a firewall with INPUT and OUTPUT drop, however with this configuartion, everything stop working, example also with the port 143 open my roundcube cannot connect to the imap server, same for the minecraft server, I load the 25565 port but it stop there and the discord bot cannot connect to discord servers (should be http), while if I put OUTPUT DROP it just stop every connection also my ssh (custom port 2233). Any help?

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1988
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1988
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8192
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8192
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
bungee     tcp  --  anywhere             anywhere             tcp dpt:25562
bungee     tcp  --  anywhere             anywhere             tcp dpt:25579
bungee     tcp  --  anywhere             anywhere             tcp dpt:25569
bungee     tcp  --  anywhere             anywhere             tcp dpt:25563
bungee     tcp  --  anywhere             anywhere             tcp dpt:25567
bungee     tcp  --  anywhere             anywhere             tcp dpt:41310
bungee     tcp  --  anywhere             anywhere             tcp dpt:41311
bungee     tcp  --  anywhere             anywhere             tcp dpt:41312
bungee     tcp  --  anywhere             anywhere             tcp dpt:25999
bungee     tcp  --  anywhere             anywhere             tcp dpt:25564
bungee     tcp  --  anywhere             anywhere             tcp dpt:30801
bungee     tcp  --  anywhere             anywhere             tcp dpt:30802
bungee     tcp  --  anywhere             anywhere             tcp dpt:30803
bungee     tcp  --  anywhere             anywhere             tcp dpt:30810
bungee     tcp  --  anywhere             anywhere             tcp dpt:25342
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8183
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8182
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8181
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8191
ACCEPT     udp  --  anywhere             anywhere             udp dpt:587
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2233
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8191
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8183
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8182
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2233
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2233
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2233
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25565
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8183
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8182
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8181
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8191
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8191
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8183
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8182
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25565
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25565
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2233
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     udp  --  anywhere             anywhere             udp dpt:443
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:80
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2233
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:smtp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:imap2 state ESTABLISHED

Chain bungee (15 references)
target     prot opt source               destination
ACCEPT     all  --  vmi294204.contaboserver.net  anywhere
ACCEPT     all  --  localhost            anywhere
DROP       all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Answer 1

You are missing some standard firewall rules, which are almost in every ruleset:

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

You certainly want to allow all communication over the loopback device (it is coming from the server itself) and to allow every established connection (you already accepted it once). These rules are usually the first once for performance reasons.

In your OUTPUT chain you have all ports in the wrong direction (--dport instead of --sport).

It is very unusual to set DROP as OUTPUT's policy and it requires a good knowledge of how your services and the system work.

You already noticed the missing ACCEPT rule for ssh[*] and you probably want to add similar rules to OUTPUT as the once I gave for INPUT. However you didn't think about name resolution:

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

and DHCP (if you are using it). Moreover ICMP is almost a must:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

since it isn't just used by ping, but gives important diagnostic information like "No route to host". Without them your services will wait until the timeout, every time a network error occurs.

PS: use the multiport and comment modules to make your rules more readable, e.g.:

iptables -A INPUT -m multiport --dports smtp,465,submission -m comment --comment postfix -j ACCEPT

TL;DR: Switching your OUTPUT policy to DROP is not very useful and requires a good knowledge of how every service you use works.

[*] After rereading your question, your are running ssh on another port and you thought about allowing ssh return packets, but you used --dport like in all other rules. What I don't understand is why are you running a fail2ban jail for ssh on port 22 if there is nothing listening there.