Having the default policy on FOWRARD be ALLOW is a bit scary, in my opinion. When debugging iptables rules, the best thing you can do is have a LOG rule before every DROP or REJECT. In your case it looks like a REJECT, though. I assume you have a POSTROUTING rule that either does SNAT or MASQUERADE, right? Is it possible that rule is too specific?
You could also try running tcpdump on the firewall (eth2 and on whatever interface the DMZ is connected to) and see where the packets go to give you a better clue. That rule does look correct, so the problem is in one of the other rules.