To explain this we need to firstly cover the concept of Private and Public IP addressing (this is covered in RFC1918) there are in theory over 4 billion IP address, but of course there are more than 4 billion computers connected to the internet, for this reason Private IP addresses have been allocate which are non-routable to computers connected to the internet but are only available to those on a private network, these IP addreses are those included in the ranges of 10.0.0.0-10.255.255.255, 192.168.0.0-192.168.255.255, 172.16.0.0-172.31.255.255, in order for a private network to connect to the internet IP masquerading needs to occur, this is the process by which a PC acts as a router and default gateway to computers on the private network, it deals with all their request and then when data is returned decides which computer this information should be sent to, as these IP addresses are non-routable this is an extremely secure method of connecting a PC to the internet, the only machine that has a public (routable) IP address is the router machine or gateway, this is of course a convientent way of sharing an internet connection between several computer systems.
- In order for applications to communicate on the internet or on any TCP/IP network they require ports for applications and servers to run on,so for instance a web server would run on port 80 while a DNS(name server) would run on port 53, port numbers from 0-65535, and there is a standard convention for port numbering where the first 1024 are reserved - of course you can deviate from this but it is not recommended. When a program opens a port on a remote machine it opens a port on the local machine for the data to be sent to this port is always above 1024, with NAT (Network Address Translation) it is able to workout which port corresponds to which machine on the private network.
This basically allows all the ports from the router/NAT machine to be routed to a machine or machines on the internal network, this is similar to forwarding specific ports but forwards all the ports across those machines on the network, this of course is extremely good way of protecting your router/NAT machine, the reverse is that the security of one of the internal machines is decreased. But usually the DMZ will be a seperate set of machines to the internal LAN.