Go with Jim's solution (dedicated router with firewall and NAT) - you don't *want* your machines to have direct global address leases. Then all your stuff will live on 192.168.*.*, and router will selectively direct port 80 or any other incoming traffic you want to the machine you specify, you will see the world from internal network, and you will be reasonably well protected.

Otherwise, the only other lege artis solution *is* to have two NICs in your machine, but also to run a firewall there.