Well, it goes like this.

1.) Any routing protocol is not needed, unless you have REAL Internet Addresses on the inside of the firewall. Which you don't.

2.) Port Forwarding is what you need. You can do this with nearly any GOOD firewall product... including IPTABLES.

3.) "Crackers" typically have less of a chance to compromise your web-server when using port-forwarding. It allows you to use your one ip addr, to be service by many machines should you so choose.

Fer instance:

Your public IP is 208.1.2.3
You use 172.16.0.0/16 as your private network

172.16.10.17 is you Webserver with SSL also on tcp ports 80 & 443, running Apache and AIX

172.16.20.34 is you "anonftp" server on ports 20 & 21, Running on Winbloze-Oh-Oh

172.16.30.51 is a ssl-webmin managed server on port 10000, running on SuSE Linux

172.16.40.68 is a public LDAP/SSL-LDAP server on tcp 389, udp 389 & tcp 636, running on Novell Netware 6 with eDIR

172.16.50.85 is your user-world for ssh-shell and ssl-usermin access on ports tcp/udp 22 and tcp 20000, running on Tru64 v5.01a

That would mean your rules would look something like this:

208.1.2.3 tcp ports 80 & 443 ---->
      172.16.10.17 tcp ports 80 & 443

208.1.2.3 tcp ports 20 & 21 ---->
      172.16.20.34 tcp ports 21 & 21

208.1.2.3 tcp port 10000 ---->
      172.16.30.51 tcp port 10000

208.1.2.3 tcp/udp port 389 & tcp port 636 --->
      172.16.40.68 tcp/udp port 389 & tcp port 636

208.1.2.3 tcp ports 22 & 20000 --->
      172.16.50.85 tcp ports 22 & 20000

Imagine what a port scan on that (provided you responded to port scans) would look like.

Sidenote: You should obviously NOT be using that big of a subnet any where in this world currently, even with IPv6 and BGP. Also I am assuming static routes here for this setup. As I would encode it in the DHCP I would be running too...