I am using a SLES 15 machine with 2 network cards as a router for a private network to the internet. I have setup IP masquerading and machines in the 'private' network can access the internet successfully.

What I want to do now is limit the outbound traffic from the private network to the external network to a selection of TCP ports and block everything else. I need to allow port 22 (SSH) and a few ports on an external licence server but nothing else (no http or https for example) but I am struggling to see how to setup firewalld to do this.

The firewall is running and the internal zone allows https as my router machine is running rmt for patching and registration but I only want this to apply to connections from the internal (private) networks to the router itself, not via the masquerading process to he external network.

Can anyone offer any advice or links to resources on how to set this up?