I would really recommend the IP Masquerade HOWTO at
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html.

He's tried to keep backward compatibility with the 2.0 and 2.2 kernels, and
it's the best system I've found - clear and consistent.

The fact that there are Connection Tracking modules for FTP and IRC (and I
think AIM) makes me think that this is what is breaking the system.

If you were to configure the firewall NOT to do masquerading, but just to
filter packets, that might work.  You would put the DMZ systems including
the external port on the firewall in one subnet of the router's range, and
the internal systems on a different subnet.  Netmasks would be the same, but
gateway would be different for each.  The router then needs to know that the
firewall is the route/gateway to the internal subnet, something it may not
be capable of learning.

How 'bout it, LUGnuts, does this sound right to you?