I think what you are after is something like this. A firewall machine with 3 network cards in it.
eth0 is connected to the internet
eth1 is your local intranet on a non routable class C address
eth2 to the dmz where the server(s) will be. It will be on another non routable class C address.
eth0 external IP
Setup iptables to do all the packet filtering. Lots of info here on the subject.
For the second question, a router does the same as a firewall. It would be easier, but would use 2 routers.
First router with external IP on the wan and the internal setup as 192.168.1.0/24. This is where your server(s) will be located. Then with the second router the outside port on it will be connected to the inside lan port of the first router. Use an address like 192.168.1.10 for the wan side and then make the lan side of it 192.168.2.0. Now all you have to do is setup which port to forward to in the 192.168.1.0/24 area. On the second router no port forwarding is done to protect the internal machines on the private lan.
external IP > 1st router > 192.168.1.0/24(server(s)) > 192.168.1.10 > 2nd router > 192.168.2.0/24(lan machines)
If you want to add more security, all machines should run a firewall on them themselves.
Hope this helps out.
Last edited by Brian1; 08-16-2005 at 08:28 PM.