Yes, this is quite readily done. You need to do two things:
1. Have your firewall map the incoming TCP request from the public address to your IIS system address. This is done like this
# iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 8080 -j DNAT --to-destination 192.168.1.4:80
2. If your firewall has a default FORWARD policy of DROP (the usual case), put an explicit rule allowing the mapped packet to be forwarded:
# iptables -A FORWARD -p tcp -d 192.168.1.4 --dport 80 -j ACCEPT
#iptables -A FORWARD -m state -p tcp --state ESTABLISHED -j ACCEPT
The first step will alter the incoming connection request so that, as far as the IIS server can tell, it will have come from 192.168.1.x (your firewall local ethernet address) on TCP port 80. That server will respond in its normal way, and send a reply to your firewall. When it arrives there, the packet processing code will compare it to its table of translated packets, and change the header data back so that the reply appears to have come from the public firewall address (X.X.X.X) from port 8080. This packet will then be sent out over the Internet to the original requestor.
Step two is required on the firewall to complete the process of transmitting the packets. Normally, private network addresses (of which 192.168.x.y are a subset) must not be forwarded. However, because the firewall is generating this altered packet, which comes from a public IP address, it is OK to forward it. The two rules together take care of the forwarding in both directions.