Redirect inbound network packets from one port or address to an alternative port or address, enabling IP masquerading as a zone, such as external, by entering the following command as root:

~]# firewall-cmd --zone=external --add-masquerade

To forward packets to a local port, which is a port on the same system, enter the following command as root:

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

In this example, packets for port 22 are now forwarded to the original destination port specified as 3753. The port option can be a single port or a range of ports, combined with the protocol. The protocol, if specified, must be either tcp or udp. The new local port or range of ports, whose traffic is being forwarded, is specified with the toport option. To make this setting permanent, add the --permanent option and reload the firewall.

To forward packets to another IPv4 address, typically an internal address, without changing the destination port, enter the following command as root:

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55

In this example, packets for port 22 are now forwarded to the same port at the given address specified by toaddr. The original destination port is specified with port. The port option can be a single port or a range of ports, combined with the protocol. The protocol, if specified, must be either tcp or udp. The new destination port or range of ports to which the communication is being forwarded is specified with the toport option. To make this setting permanent, add the --permanent option and reload the firewall.

To forward packets to another IPv4 address, typically an internal address, and another port, enter the following command as root:

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55

In this example, packets for port 22 at the given address are now forwarded to port 2055 with toaddr. The original destination port is specified with port. The port option can be a single port or a range of ports, combined with the protocol. The protocol, if specified, must be either tcp or udp. The new destination port or range of ports to which the communication is being forwarded is specified with the toport option. To make this setting permanent, add the --permanent option and reload the firewall.