[SOLVED] iptables + ip6tables - cannot open port 80

I'm attempting to set up a web server on my Linode running Arch. I'm using Lighttpd, MySQL (MariaDB and phpMyAdmin) and PHP-FPM. For security, I've got a stateful firewall set-up for IPv4 and IPv6 (iptables + ip6tables) built using the instructions from the ArchWiki. Both iptables and ip6tables implement the same rules, just for their respective protocols.

My domain name is listed in the Linode DNS Manager with the Linode nameservers. It is active and has been confirmed to resolve correctly via Reverse DNS in the "Remote Access" tab. For serving web pages, I have Lighttpd listening on port 80 and configured to use an SSL certificate and re-direct HTTP requests to HTTPS. However, after opening port 80 via iptables and ip6tables and instructing Lighttpd to use port 80 for HTTP requests before redirecting them to port 443 for HTTPS, I cannot connect to my domain (eg: http://www.example.com). A quick check of port 80 at my static Linode IP address using a port checking tool indicates that it is closed, as does an Nmap port scan of the address.

I'm concerned that some of iptables settings might be thwarting my efforts to open the port, or that my current configuration somehow does not explicitly open port 80 up to the world. A copy of my iptables configuration is posted below.

 Generated by iptables-save v1.4.21 on Mon Sep 15 04:18:39 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [66:10280]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 80 -m comment --comment "HTTP connections" -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -m comment --comment "SSL connections" -j ACCEPT
-A TCP -p tcp -m tcp --dport 53 -m comment --comment DNS -j ACCEPT
-A TCP -p tcp -m tcp --dport 127 -m comment --comment "SSH uses port 127" -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT
COMMIT
# Completed on Mon Sep 15 04:18:39 2014

The entries that might be suspect would be:

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A TCP -p tcp -m tcp --dport 80 -m comment --comment "HTTP connections" -j ACCEPT

The first entry attaches the TCP chain I created to the INPUT chain and requires that new TCP connections must be started with SYN packets. Would this block incoming HTTP requests?

The second entry is how I open port 80. Specifying an interface is not necessary, since the default accepts connections from both interfaces. The only other thing I can think of would be to modify the command to include "-m state –state NEW" as some have suggested.

-A TCP -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "HTTP connections" -j ACCEPT

However, I think this is unlikely, since my iptables entry responsible for opening port 443 for SSL requests is working just fine without the additional syntax.

Any and all help/suggestions would be appreciated. I can also post my Lighttpd configuration file if needed.