From the generated filter_rules, yes, the WAN-to-LAN default "DROP" will drop the packets before the rule of forwarding packets to the DMZ ip addr.
I've tried to set 192.168.1.200 as DMZ, forward port 80 to 192.168.1.201:
Code:
# cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth0 -o br0 -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o br0 -j logdrop
-A FORWARD -p udp --dport 6112 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen
ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --
log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT