I can't figure out which rule is missing to make this happen...
# iptables -Z ; curl -v -k --connect-timeout 2 http://www.myhost.com/ ; iptables -L -v
* Hostname was NOT found in DNS cache
* Trying <correct IP>...
* Connection timed out after 2001 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 2001 milliseconds
Chain INPUT (policy DROP 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any ip6-localhost anywhere
0 0 DROP all -f any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP all -- any any 200.200.200.200 anywhere
0 0 DROP all -- any any 192.168.0.0/24 anywhere
0 0 DROP all -- eth+ any 127.0.0.0/8 anywhere
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
9 468 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:ssh recent: UPDATE seconds: 20 hit_count: 20 TTL-Match name: SSH side: source mask: 255.255.255.255 LOG level warning prefix "SSH brute force "
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ssh recent: CHECK seconds: 20 hit_count: 20 TTL-Match name: SSH side: source mask: 255.255.255.255
0 0 icmp-chain icmp -- any any anywhere anywhere
0 0 services all -- eth0+ any anywhere anywhere state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere ip6-localhost
10 1072 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 120 ACCEPT all -- any any anywhere anywhere state NEW,ESTABLISHED
Chain icmp-chain (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 5/sec burst 5 state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp timestamp-request state NEW
0 0 ACCEPT icmp -- any any anywhere anywhere icmp timestamp-reply state RELATED,ESTABLISHED
0 0 DROP all -- any any anywhere anywhere
Chain services (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source mask: 255.255.255.255
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:http state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:submission state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:imaps state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:pop3s state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:imap2 state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW
0 0 ACCEPT tcp -- eth0+ any anywhere anywhere tcp spts:1024:65535 dpt:sieve state NEW
0 0 DROP all -- any any anywhere anywhere
It works with iptables -P INPUT ACCEPT
gosh. After trying to find the problem since 2 hours, I posted the question. An when reading my own post, I saw the answer:
Packets are not referred to the services chain when coming in on lo - just eth0+ (and then also not captured in service chain)