If you are not familar with firewalld and the firewall-cmd, check out our Getting Started article.
Masquerade must be turned on to port forward. Use the --add-forward-port=port=xx:proto=xxx:toport=xx to forward traffic from one port to another. In this example, traffic is forwarded from TCP port 22 to port 12345. In this example, the SSH service listening on port 12345 is on the same server as the SSH service with port 22.
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=12345 --permanent
To forward request to another server, add the target IP address.
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=10.1.2.3:12345 --permanent
The --check-config command can be used to ensure there are no configuration errors.
~]$ firewall-cmd --check-config success
firewall-cmd --list-all will show the forward ports.
~]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: eth0 sources: services: ports: protocols: masquerade: no forward-ports: 12345 sourceports: icmp-blocks: rich rules: