Ok, so I would probably just create a bunch of aliases (virtual
interfaces) for each of the public IPs so that you have general
connectivity (though not necessary), then just write a DNAT rule for
each mapping and forward the required ports to the
LAN server.
Just remember that iptables will treat each of the virtual interfaces
as one interface, so eth0:1, eth0:2, and eth0:3 would all be just eth0
in your iptables rules (using aliases in the rules will cause an
error). So your DNAT rules will look like:
iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.150 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.151 -j DNAT --to-destination 192.168.1.3
If you want to forward each of those ports to all of the internal servers, then your forwarding rules will be:
iptables -A FORWARD -p tcp -m multiport --dports 21,23,25,53,80,110,443,3389,5561,5562 - j ACCEPT
If you only want to forward certain ports to certain LAN servers, then
just specify which ports and which internal IPs. For example say you
only want port 80 and 443 going to 192.168.1.2 and ftp going to
192.168.1.3. Then your rules would be:
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -d 192.168.1.2 -j ACCEPT
iptables -A FORWARD -m tcp --dport 21 -d 192.168.1.3 -j ACCEPT
Finally you'll need a rule to allow packets back out:
iptables -A FORWARD -i eth1 -j ACCEPT
(you can lock this down further depending on your needs)
Also make sure that you've turned on packet forwarding in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward
