In a nutshell, routers most commonly share a single IP adress to an internal network using a method called NAT...Network Address Translation. It hides the network (most commonly using a private IP scheme, like 192.168.1.XXX) from the outside world...all the outside world can see is the WAN IP that the ISP gives the router, like 18.104.22.168. All LAN workstations are hidden and protected because of the NAT.
Now someone needs to correct me here, but there are something like 64,000 ports out there. Each port or range of ports serves a special purpose, such as port 80...websites run on, port 23 I think is for FTP, port 5631 and 5632 are used by PcAnywhere host mode, Quake 3 uses port 27960, etc etc.
In NAT...you can forward a particular port or range of ports to only one computer inside the LAN. So if you are running a web server, and you want the outside world to see it, you need to forward port 80 to the private IP address of your web server. Lets say your server has an IP of 192.168.1.11....you'll forward to that IP. Since you only are forwarding one port, port 80, all your other ports on that computer are still protected.
DMZ...DeMilitarized Zone, means to put an IP completely out in the open....so that EVERY port is wide open. Not secure at all...it's completely naked.