So I have a single server behind my firewall that runs a web application. Right now it's setup with Port Forwarding at the router level AND IPTABLES to further restrict the traffic.
With as rock solid as IPTABLES is, my question is should I even bother with the port forwards? Or should I just assign the server as DMZ and use IPTABLES by itself for traffic inspection / handling?
I've always it done it the current way but thought maybe it's unnecessary.
I would continue with your current setup, which is the same way my public linux server is hooked up. One reason is the comfort level if you ever need to temporarily turn off the linux firewall for some testing/development reasons, something I do occasionally in my office setup. But if everything is set up properly I don't think you'd need to lose any sleep worrying, I believe either approach should work fine.
I personally love CSF on top of iptables. I find it easy to install, configure and maintain.
If you DMZ your server just setup /etc/csf/csf.conf to your needs for allowed ports (and other stuff as needed, but the default is good for most uses) and then /etc/csf/csf.allow for anything you want to whitelist
You also get LFD which helps thwart bruteforce attempts by scanning logs for bruteforces and then auto blocking those IP's: