Você pode usar o iptables. Abaixo está uma versão do script de uma solução proposta. Eu não sei quais regras do iptables você já pode ter, então algum trabalho de mesclagem pode ser necessário.
#!/bin/sh
FWVER=0.02
#
# test-oli rule set 2016.01.14 Ver:0.02
# Having tested this on my test server using port 80,
# convert for what Oli actually wants (which I can not test).
#
# test-oli rule set 2016.01.14 Ver:0.01
# Port forward when this computer has one nic and
# is not a router / gateway.
# In this case the destination is a guest VM on this
# host but, with bridged networking and all IP addresses
# from the main LAN, that should not be relevant.
#
# This script may conflict with other iptables rules on the
# host, I don't know. On my test server, clobbering the existing
# iptables rules is O.K. because I do not use the virbr0 stuff,
# nor the default virtual network, anyhow.
#
# References:
# https://sobrelinux.info/questions/46314/port-forwarding-between-bridged-interfaces"test-oli rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
# Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
# Use br0 instead of eth0. While using eth0 seems to work fine, the packet counters
# don't work, so debugging information is better and more complete using br0.
#
#
INTIF="br0"
INTIP="10.10.0.2"
FORIP="10.10.0.15"
UNIVERSE="0.0.0.0/0"
echo " Internal Interface: $INTIF Internal IP: $INTIP Forward IP $FORIP"
# CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward
# Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policy to ACCEPT.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z
# First we change the destination of any incoming port 80 traffic
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF --dport 9000 -j DNAT --to-destination $FORIP:9000
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF --dport 9001 -j DNAT --to-destination $FORIP:9001
# And then we do the actual forward
# FORWARD rules would only be needed if the default policy is not ACCEPT
# (Shown here for completeness)
#
$IPTABLES -A FORWARD -p tcp -i $INTIF -d $FORIP --dport 9000 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -d $FORIP --dport 9001 -j ACCEPT
# Now, we need to change the source address, otherwise the reply packets
# would be sent directly to the client, causing confusion.
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j SNAT --to-source $INTIP
echo "test-oli rule set version $FWVER done."