I configured iptables with quicktables script which gave me next output:
#!/bin/sh
#
#
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ppp0 -j MASQUERADE
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -I INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i ppp0 -s 127.0.0.0/8 -j DROP
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i ppp0 -j ACCEPT
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
#porti za amule
$iptables -A FORWARD -i ppp0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.2.2:4662
$iptables -A FORWARD -i ppp0 -p udp --dport 4672 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to-destination 192.168.2.2:4672
#sestrina emule
$iptables -A FORWARD -i ppp0 -p tcp --dport 7000 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7000 -j DNAT --to-destination 192.168.2.3:7000
$iptables -A FORWARD -i ppp0 -p udp --dport 7000 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 7000 -j DNAT --to-destination 192.168.2.3:7000
#porti za bittorrent
$iptables -A FORWARD -i ppp0 -p tcp --dport 6881:6950 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6881:6950 -j DNAT --to-destination 192.168.2.2:6881:6950
#porti za web server
$iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.4:80
$iptables -A INPUT -i ppp0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i ppp0 -p udp --dport 0:65535 -j DROP
#tukaj so blokirani ip naslovi od useh sumljivih ljudi
iptables -I INPUT -s 193.77.19.93 -j DROP
iptables -I INPUT -s 64.240.232.95 -j DROP
I am using this machine as router/firewall.
Like you can see i forwarded port 80 on my web server which is behind NAT. Port forwarding is working for other users, bot not for me(i am behind NAT too). If i try to connect to
http://my.external.address i get the massage that connection is refused, but if i connect to
http://192.168.2.4 i can connect. Does anyone know how could i set my iptables script so it will allow machines behind NAT to connect to the web server trough external ip.