I do see that you've disabled CONFIG_IP_NF_CONNTRACK, which is a very odd choice. Connection tracking is the strength of iptables!
You mean weakness.netfilter's conntrack module sucks in performance and at the same time is not fully stateful.
If I wanted a stateful firewall, I would go for a OpenBSD solution. For filtering to host, netfilter is ok without connection tracking.
