How to use POSTROUTING / SNAT with firewalld?

I try to set up SNAT with firewalld on my CentOS-7-Router like described [here](https://unix.stackexchange.com/questions/389756/how-to-use-snat-with-firewalld-vs-masq) , with additions from [Karl Rupps explanation](https://www.karlrupp.net/de/computer/nat_tutorial) , but I end up like [Eric](https://www.reddit.com/r/homelab/comments/auks1f/how_to_masquerade_source_nat_to_an_ip_alias_with/) . I also read some other documentation, but I am not able to get it to work, so that my client-IP is translated into another source IP. Both firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp -o enp1s0 -d 192.168.15.105 -j SNAT --to-source 192.168.25.121 or firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp -s 192.168.15.105/32 -j SNAT --to-source 192.168.25.121 gives a "success". I do a firewall-cmd --reload afterwards. But if I try to examine the table with iptables -t nat -nvL POSTROUTING the rule is not listed. But if I apply one of the above rules again, firewalld warns me with e.g. Warning: ALREADY_ENABLED: rule '['-p', 'tcp', '-o', 'enp1s0', '-d', '192.168.15.105', '-j', 'SNAT', '--to-source', '192.168.25.121']' already is in 'ipv4:nat:POSTROUTING'- but no SNAT-functionality for the source-ip 192.168.15.105 to be masqueraded as 192.168.45.121 is working. Maybe someone can explain me what I am doing wrong? ----------------------------------------------------------- After hours of struggling, I still am hanging on DNAT/SNAT. I now use only iptables with: 1.) iptables -t nat -A PREROUTING -p tcp --dport 1433 -i enp1s0 -d 192.168.25.121 -j DNAT --to-destination 192.168.15.105 and 2.) iptables -t nat -A POSTROUTING -p tcp --sport 1433 -o enp1s0 -s 192.168.15.105/32 -j SNAT --to-source 192.168.25.121 so iptables -t nat -nvL PREROUTING shows:

PREROUTING (policy ACCEPT 7 packets, 590 bytes)
pkts bytes target     prot opt in     out     source               destination         
129 12089 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
129 12089 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
129 12089 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
0     0 DNAT       tcp  --  enp1s0 *       0.0.0.0/0            192.168.25.121       tcp dpt:1433 to:192.168.15.105

and iptables -t nat -nvL POSTROUTING shows:

POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  7442 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   97  7442 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   97  7442 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 SNAT       tcp  --  *      enp1s0  192.168.15.105       0.0.0.0/0            tcp spt:1433 to:192.168.25.121

All done right, here are some more good explanations: - [https://wiki.ubuntuusers.de/iptables2](https://wiki.ubuntuusers.de/iptables2/) - [https://netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html](https://netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html) - [https://serverfault.com/questions/667731/centos-7-firewalld-remove-direct-rule](https://serverfault.com/questions/667731/centos-7-firewalld-remove-direct-rule) but still iptraf-ng lists: Isn't PREROUTING (resp. POSTROUTING) done before (resp. after) ip_forwarding from internal to external interface?