I configured iptables with quicktables script which gave me next output:

#!/bin/sh
#
#
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ppp0 -j MASQUERADE

$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

$iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables -I INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i ppp0 -s 127.0.0.0/8 -j DROP

$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i ppp0 -j ACCEPT

$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

#porti za amule
$iptables -A FORWARD -i ppp0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to-destination 192.168.2.2:4662
$iptables -A FORWARD -i ppp0 -p udp --dport 4672 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to-destination 192.168.2.2:4672
#sestrina emule
$iptables -A FORWARD -i ppp0 -p tcp --dport 7000 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7000 -j DNAT --to-destination 192.168.2.3:7000
$iptables -A FORWARD -i ppp0 -p udp --dport 7000 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 7000 -j DNAT --to-destination 192.168.2.3:7000
#porti za bittorrent
$iptables -A FORWARD -i ppp0 -p tcp --dport 6881:6950 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6881:6950 -j DNAT --to-destination 192.168.2.2:6881:6950
#porti za web server
$iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.4:80

$iptables -A INPUT -i ppp0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i ppp0 -p udp --dport 0:65535 -j DROP

#tukaj so blokirani ip naslovi od useh sumljivih ljudi
iptables -I INPUT -s 193.77.19.93 -j DROP
iptables -I INPUT -s 64.240.232.95 -j DROP
I am using this machine as router/firewall.
Like you can see i forwarded port 80 on my web server which is behind NAT. Port forwarding is working for other users, bot not for me(i am behind NAT too). If i try to connect to http://my.external.address i get the massage that connection is refused, but if i connect to http://192.168.2.4 i can connect. Does anyone know how could i set my iptables script so it will allow machines behind NAT to connect to the web server trough external ip.

For reasons deep within the intricacies of the TCP protocol, this is not possible without using your firewall as a proxy.

Basically, your computer opens the connection to your firewall, which forwards the packet to the webserver. The webserver then responds to the local IP of your desktop... but the desktop sees the incoming packet NOT coming from the firewall and resets the connection.