Hi Maskkk!
Nice diagram btw!
Generally placing a machine in an DMZ zone with ports being forwarded from the Public to it, poses security risks. If all these services must run on the same box, then you do have limited options, however splitting them between two or more servers could provide a wise tactic.
These days, the deployment of servers/services accessed by the public, should also be accompanied by the installation of Firewalls and IPS systems, especially if we are taking about an organization.
Use the strongest possible encryption for SSH, limit access for specific accounts from which you can then SU to gain elevated privileges. As far as binding the services to the localhost - I'm not really sure if this can work, but it sounds like an interesting idea, however something tells me that it might not just be enough.
Finally, if you are able to limit the IP addresses that will have access to the server, then do it - no question asked, especially if there is no IPS and other means of protection such as advanced firewalls etc.
Hope this helps!
Chris.