A connection has many ports, if an IP address is an address for an apartment building. The port is the apartment number for an individual app.
Most apps only respond to certain ports. This allows many apps to use an internet connection.

It’s rare that a working computer is connected directly to the internet.
Usually they’ll be connected to a router, which is connected to the internet.
Now you can setup a computer to do certain things.
Like say send back an webpage or upload a file.

Port Forwarding is telling your router “If someone uses this port, send it to this particular computer on this port”
So that way if someone wants to access your webpage, they put in the webpage port, and your router makes the webpage computer do it.
While if someone wants a file, your router sends it to your file computer, and your file computers does it.

Now another possible usage is just adding a little bit of security. Like a small bit.
Just because your router receives it in one port, doesn’t mean it has to be forwarded to the same port.
So for example, hackers often get lazy, they have their bots try millions of addresses, and they know the most people will use their default ports. So they try doing their hacker tricks on those ports, and if it doesn’t work they move on to another computer.
Now if you set up the port to be different than normal, when they try it, your router will make it fail because you told it to just ignore the port. And if someone who you told tries the right port, it will work.
Now if the hacker tries many different ports, or if they know what port you are using, then they can try it. But trying many different ports is hard and it’s faster to just try someone else.

When something outside of your home or office network needs to talk to something inside of the network it uses a port. If you have no firewall/router all ports are open. To allow that traffic in to the correct computer when you do have a firewall, you forward that port to the computer expecting the traffic. This allows the external device to have its request forwarded to the correct internal device.

Your firewall with allow connections out without this, and once established that connection can become two way. That is why it’s not normally needed. Only when the connection is initiated from the external device.

Its worth noting that these ports can be scanned and forwarding the wrong ports can expose your systems to the wild internet and anyone who cares to attempt access.

Edit: added the note

Every device that connects to an internet has a set of number given to it, which is called it’s IP. Basically IP is like an address for that device in the city of Internet.

Now that device can run several different type of software services, like mail, browse internet, remote desktop to another device, gaming, etc. So for each of this services to talk through internet, obviously they connect through IP, but also through the specific port (like specific channel for that software service). For example when you browse Google.com you are making connection to the Google.com server’s IP address and port 80 if you are making http request or port 443 if you are making https request.

Now let’s say in your home, you got a router with public IP address. Public IP address means you can reach that device from anywhere in the internet using its public IP. Your other home devices like laptop or phone will get private IP’s as allocated by your router. You can run a webserver in your laptop but since your laptop’s IP is private, you can’t access that website from internet. But you have a public IP in your router so what you can do is create configuration on router which says any request coming to this router at port 80 goes to your laptop (specify it’s private IP) and it’s port 80.
Bow when you access your routers public.ip:80 from internet, the request will reach your router and since router has the forwarding configuration, it will forward that request to your laptop.
Let’s say you have another website running in another laptop. You can configure another port forwarding setting in router which says port 81 request goes to another laptop’s private ip with port 80(webserver runs through 80 by default).

Now from internet if you go to public.ip:80 it will open up website from first laptop, but if you do public.ip:81 it will open up website from second laptop.

TLDR – ports are like channel number we give to software services. Any device that can receive request on one port can forward that request to another device at different or same port.

Every computer on the Internet needs an IP address.

The world ran out of IP addresses a decade ago.

Since then, we’ve been using nasty tricks to get by without having enough. Your home router probably has an IP address on the Internet, but your computer does not. Instead your computer has a “fake” IP address that nobody can actually talk to, outside of your network. And when your computer tries to connect to some other computer on the Internet, your router intercepts the connection and fiddles with it to make it look like the connection is coming from the router’s address. This is called Network Address Translation, or NAT, and it’s absolutely terrible.

When someone else wants to connect to your computer, they can’t because it doesn’t have a real IP address. They have to connect to your router instead. That means the router has to know what to do with the connection, and that is port forwarding.

Because there aren’t even enough IP addresses for every *house* to have one (if you are in a developed country you probably do have one because developed countries got first dibs), many Internet companies also have their own NAT routers. So even *your router* doesn’t have a real IP address, only a router at the Internet company has one. And they won’t let you fiddle with their router’s settings. No Minecraft servers for you. Oh dear how sad.

—

*Three* decades ago, engineers saw this would be a problem and made a modified IP protocol with way more addresses, called IPv6 (IP version 6) but only 1/3 of the Internet still actually uses it, mostly cellphones. Call it IP address climate change. If you want to not have port forwarding, there are sites you can use to check if you have IPv6 set up, and sometimes you can call your Internet company and ask them to turn it on for you. Note that to make a connection with IPv6, both ends of the connection need to use it.

you can think of it as a sort of a “tunnel” between a machine on your LAN (not visible on the Internet – because LANs use *non-routable addresses* which every sane internet router discards) and a machine/device visible on the Internet (one having a routable/public IP address) which is your router (must have 2 network interfaces to be one).

it’s primary use is to expose a machine behind a router (NAT) to outside Internet – could be gaming, webserver, torrent traffic, remote desktop, whatever. anything that requires “visibility” on the net.