I want to forward all connections on port 80 on device ppp0 to a box on my network (eth1) 192.168.0.3. I think its something similar to:

iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.0.3:80

iptables -t nat -A POSTROUTING -p tcp -o eth1 --dport 80

Does anyone have any ideas?
Thanks

#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.3

that SHOULD do it, if it doesnt let me know

oh, the echo 1 stuff is to turn on ip forwarding if its not already on, you can check by doing this:

#cat /proc/sys/net/ipv4/ip_forward

if that gives you a 0 then ip forwarding is not on and you should turn it on. If forwarding is not on by default then you will have to put that command in everytime you restart your computer. I suggest putting it in a script file and having that file run at startup by adding the line to your rc.local file (in /etc/ i think).

No that command does not work

i've tried http://localhost and http://myexternalip neither get me a webpage.

does http://localhost work on the machine that the webserver is on? i.e. the server is running right?

I ask this because the rule basically says:

any new connection attempt comming in on any interface bound for port 80, change the destination address to the .3 machine. You may also want to check the rest of your rules to make sure you arent dropping the packets in a previous rule. If you dont mind, posting the rest of your iptables rules may help.

Yes the webserver is running on 192.168.0.3, currently I don't have any other rules as i'm testing this before adding it to my existing firewall ( which is down ) iptables is on accept everything.

after the rules you gave me the output of iptables is:

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

after you put in the rules i gave you, do this:

iptables -t nat -L

or

iptables -t nat --list (of course they are both the same)

this will give you the nat routing chains

It looks like it should be:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination=192.168.0.3
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

and (with some 'firewalling')
iptables -A FORWARD -m state --state NEW -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

or just (without 'firewalling')
iptables -A FORWARD -p tcp -j ACCEPT

above allows you to see http://your_external_ip in browsers on machines connected through ppp (not from LAN! from LAN the machines are using eth to connect)
of course, you need also /proc/sys/net/ipv4/ip_forward set to 1

for the rules
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.3
iptables -t nat -L gives:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.3
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.3

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Is there anyway they could be being refused on .3? Is there a way to check.

Also dorian33 those rules didn't work either

Very strange, I am using successfully very similar rules in my firewall; the differences are only: eth1 against the ppp0 and SNAT against the MASQUERADE (I've got static IP).
Have you applied all the 3 rules (with PREROUTING, POSTROUTING and FORWARD) ?
How do you did the test (from 'outside' machine)?
Can you see the http://192.168.0.3 site from firewall box?
If so post all firewall rules.

I think i've fixed it, looks like those rules above worked but I just coudln't access the page from within my network.

I checked from an external source and it worked. Thanks for your help.

If you change that to use the command -i ethx (where x is the number that corresponds to your ext NIC) you should be able to see it from your int network as well.

That is at least how I did it on mine.