These are run each time the machine is turned on:
And then I manually enter the ones from this thread.

Not that I know of. I have run a web server before when I had the modem connected directly to my computer.

I'm no expert on this stuff but I see a potential problem.
iptables -A INPUT -i ppp0 -m state --state NEW -j log_n_drop

Anybody trying to access the webserver will be a new connection and therefore will be dropped. Try changing it to log_n_pass.

At the moment there is a script that runs when the computer starts up, which executes the iptables commands to set up the network etc. (they are the commands I posted). If I type the 'log_n_pass' line after this script has run, should it work? That is, if I ttype that line, will it replace the old 'log_n_drop' command?

What you really should do is configure the firewall script that came with your distro. e.g. shorewall? I think that's the one on Mandrake.

Or if you like the rule set and simply need to delete a rule. go `iptables -L --line-numbers` and the find the line you want to delete and do a 'iptables -D chain rulenum' chain being the chain name and rulenum being the numbered line on that chain. I hope this is clear.

This is the output of 'iptables --list --line-numbers':

What should I delete? I suppose I need to delete INPUT 3 and FORWARD 2, but what about the log_n_drop chains?

I have just tried deleting the log_n_drop line (INPUT 3) and then typing in the new iptables commands. But then I can't get on the internet!

Right then. I have restarted the computer so it is back to normal. Then I've typed this, in this order:

1. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:80
2. iptables -A FORWARD -p tcp -i ppp0 -d 192.168.0.1 --dport 80 -j ACCEPT
3. echo 1 > /proc/sys/net/ipv4/ip_forward
4. iptables --delete INPUT 3 [the 3 log_n_drop all -- anywhere anywhere state NEW line]
5. iptables -A INPUT -i ppp0 -m state --state NEW -j log_n_pass

After this, the internet works okay, but going to the gateway's external ip does not load the page from my web server.

took me some time to read all your posts ;)
but I think I found something you all haven't looked at: -P DROP
This means each packet will be dropped, if there isn't a rule, which stops that.
My suggestion:
iptables -I INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
try this line instead of your 5th command ("iptables -A INPUT -i ppp0 -m state --state NEW -j log_n_pass
")
explanation:
With --state NEW you are meaning all packets opening a new connection (see also: 3-way-handshake). After a client has opened a new connection, it send packets without the NEW flag. Now there is no rule matching, so the policy says DROP and the packet is lost.

If it's working please show us the output of 'iptables -L -n' again. thx

Thanks, I will try that. Just one thing though - as I have already entered the 5th command, will I have to restart the computer and type everything again, or will your command just replace the old one?

You can restart and type everything again
or
you should type:
Suddenly I have a doubt, that this works. What I said shouldn't be wrong, but if PREROUTING is working correctly,
the chain INPUT shouldn't be used for these packets.

Anyway try my tip. If it doesn't work, I will write down the complete firewall configuration..

Yes, there are a lot of posts aren't there :D

I tried what you said. Thanks for trying to help, but it still doesn't do it. I didn't know all this was going to get so complicated :(

hoping that's it:
I've written a tiny script. Copy it to a new file an make it executable. Then run it.
This script is deleting all your firewall settings and making new ones. It's only for trying to make your server accessible.
Make sure there are no rules in iptables -t nat. You can do this with iptables -t nat -L.
If you want to reset your configuration, you should restart your computer - I think that is the easiest way, because
your firewall loads a script which (re-)creates all firewallsettings.
I can not try it. I am only hoping that it works ;)

It would be a lot tidier to just replace the "$EXTINT" variable with ppp0..
Makes it way more readable.. ;)

Also to consider..
The original problem of not connecting to a LAN based server using it's external ip number..

If you send packet from 192.168.0.20 to 222.333.444.555 and it's dnatted to 192.168.0.1,
the server will see a source address of 192.168.0.20, notice it's local, and send it directly back, from 192.168.0.1..
So the original pc sees a packet going to 222.333.444.555 but a reply from 192.168.0.1
and drops it as rubbish..

If you have lots of workstations, the quickest answer is to run a small dns caching server on the firewall that converts all the names possible for the server back to it's internal number.
dnsmasq and dnrd are common..
Otherwise, add this list to everyone's /etc/host file (or lmhosts.sam for M$ )

eg
192.168.0.1 www.myserver.com pages.myserver.com myserver.com test.myserver.com

(You of course could have quite a few vitual domain names in the one server)

Sorry, it still doesn't do it. It just stops me connecting to the internet...

So this might not work anyway? At the moment I am trying it by going to the gateway's external IP from the web server, as it's the computer I can get to the easiest.

I will look into that then...

Thanks for everyone's help, I'm not having a go at you... but is this normally so complicated? I thought that all I would have to do is forward packets coming in on port 80 to my web server, and packets from the server back out again! ;)