Я поднял несколько идей о своем блоге:
So I feel kind of stupid now, but I know what my problem was. I'll share it here for historical purposes.
These rules actually work, it's just my testing methodology was broken. I'm forwarding MS SQL from a cluster to a remote DB. But I can't actually test it's working because the only IP address allowed to hit the remote DB is being used by a single server that isn't proxying other requests, and it's in production. So I've been trying to use curl to hit another web server through the proxy and see if I get a response. Then I could just switch the IP addresses and ports around and it would hopefully work.
But my problem was the rule
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
was catching all the responses coming in and not forwarding them. Once I realized that, I commented out this rule and everything worked. And since in production, it will be a completely different port, this rule wont negatively effect the proxy.
Thanks to anyone that spent any time trying to figure out my mistake.