I have been trying to get a computer behind my NAT linux box to become a 'DMZ' node (DMZ as in a node that is virtually associated to the internet source ip; all incoming requests are forwarded to the DMZ computer from the NAT box). Linksys routers have this setting (that is where I adopted the DMZ term).
If you've followed me so far, I accomplished this easily with the following IPTABLES entry:
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -j DNAT --to [DMZ local ip addr]

This works in terms of forwarding all requests to the DMZ node, but then I realized that it will prevent me from connecting to services on the NAT box! I then replaced the above IPTABLES entry with this:
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport ! 3784 -j DNAT --to[DMZ ip]
This checks for the destination port, and if it is 3784 (one of my services on the nat box) then it does not forward it to the dmz.

Well, it works fine and everything is great but then I realized what this setup entails. I will need to write additional IPTABLES entries for every service that I want to run on the nat box so that they are not mistakenly forwarded to the dmz. (i don't plan on moving the services to the dmz).
Also, I realized that if I have two services, one on the dmz and one on the nat box, that are listening on the same ports, my current IPTABLES entries will not work. However, the linkysys routers have the ability to accept port 80 connections (for the web-configuration utility) and also send port 80 requests to a dmz if it ALSO has a port 80 web server!! How is this possible?
I am curious if anyone knows of a better IPTABLES configuration that would solve all this. In case you havn't figured out already, I am using masquerading, etc for the NAT functionality. Is there an easier way to have two nodes share "outside" access of the internet IP? Any suggestions would be appreciated. I am a very big newbie when it comes to IPTABLES in the first place, so don't assume I know the advanced configurations. Let me know what's up! Thanks!

-Rims

DNAT for only service ports! like if u have web server in DMZ. like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to DMZ_web_ip

dont send all of incoming packets to DMZ. just service ports must be forwarded to DMZ.

check http://iptables-script.dk/
i hope it will help u...

your modem listens its internal interface for its own web interface.. it make DNAT port 80 to DMZ if packets come to its external interface. it must work like this.