The DMZ must be separated from the local network.
That is, it must be a separate subnet.
I usually make the following rules for the DMZ.
1) from the Internet to the server in the DMZ prokidyvaya only the necessary ports.
eleazar_Schimm answered on October 14th 19 at 11:59
iptables -A PREROUTING policy -t nat-i $ETH -m state --state NEW-j SNAT --to-destination $IP
where $ETH slavushka the provider side, $the server's IP address. And it's not a DMZ