Nigdzie nie napisalem, ze mam kilka lat doswiadczenia, brak logiki, gdybym mial to bym nie postowal.
Czesciowe wyjasnienie jak dziala REJECT z ESTABLISHEDw lancuchu OUTPUT:
The ports used on a TCP flow aren't symmetric: while the server (daemon) end listens on port 22, the client end will use a random high numbered (1024+) port. If you do your filtering on destination port, then these will be blocked. You'll want something like 'iptables -A OUTPUT -m state --state ESTABLISHED,RELATED' before the reject line to make replies to external requests work.