How can I set up iptables to block any connections made to my server from the outside,
while not blocking anything initiated from the inside?
Put this in order at INPUT chain
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -j REJECT
If you want to debug it, see your conntrack.
Without recompiling anything, it cannot be done as far as I am aware. You can however switch to ARC4 or Blowfish which are preposterously fast on modern hardware.
The BEST performance (as far as clock cycles are concerned) increase you can get is with adding
compression no
You can do this by changing
ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour
to
ciphers arcfour,blowfish-cbc
If you want to squeeze some extra performance out at the risk of incompatibility you can change
macs hmac-md5,hmac-sha1,umac-64@openssh.com,
hmac-ripemd160,hmac-sha1-96,hmac-md5-96
to
macs hmac-md5-96
If you still think this is too much overhead, you could revert back to v1 or just do a standard VPN.
Best Answer
If it only happens sometimes then my first thought would be that the proxy server is maybe only properly working sometimes. Are you reviewing the logs on the proxy server to see what happens? Using tools like wireshark to see what traffic the browser is sending, and where to?