linux – How to interpret received packages, although not being destination host

Being:

  • Victim: 192.168.0.2
  • Attacker (also having SSH server installed): 192.168.0.3
  • SSH server: 192.168.0.4

I perform a succesfull ARP Spoofing attack (being obviously the attackers MAC address):

victim shell shown

But when I try to connect via ssh user@192.168.0.4, instead of connecting to the attackers ssh server, it redirects the traffic to the real ssh server (or keeps waiting for this connection if
traffic redirect is disabled in attackers /proc/sys/net/ipv4/ip_forward file).

Is there any way I could interpret packages coming from an IP before redirecting to the original destination?

Thank you in advance.

Note: in case it’s relevant, im using dockers inside GNS3 inside a VM, those dockers being Ubuntu. This is the scheme:
enter image description here