By default, Linux IP Masquerading cannot handle incoming services at all but there are a few ways that would allow this.
If you do not require high levels of security, then you can simply forward or redirect IP ports. There are various ways to perform this, though the most stable method is to use IPPORTFW. For more information, please see Section 6.7.
If you wish to have some level of authorization on incoming connections, then you will need to either configure TCP-wrappers or Xinetd to allow only specific IP addresses to pass. The TIS Firewall Toolkit is a good place to look for tools and information.
More details on incoming security can be found in the TrinityOS document and at IP Masquerade Resource.