Have faced a similar issue personally and this solution has come to my rescue. Please give it a try and let me know if it helped.
There are few ways to access a server behind NAT:Port forwarding, you can configure the router/firewall to forward the incoming traffic to an internal server. Usually, you need to specify the Protocol (UDP/TCP), External Service Port, and Internal Service Port.
For the ssh port forwarding with firewall-cmd, please try this command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 222 -j DNAT \--to 172.x.x.x.:22 From the given code, I kind of understand that this is what you are trying to achieve. So, please make sure to check the port. In my case, I have tried the same with port 80.
This rule specifies the NAT table to use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address
