[rosser]

It probably doesn't.

  # accept traffic to the normal ssh port
  iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
  # accept traffic on the port kippo is listening on
  iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT
  # direct traffic inbound on port 22 to port 2222
  iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222

Make sure also to add an ACCEPT rule for traffic to whatever port sshd is actually bound to.

[cft]

http://www.faqs.org/docs/iptables/traversingoftables.html Table nat is traversed <b>before</b> filter table. Therefore, the rule iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT is unnecessary.

[gcb]

Everyone, hear the post above.

Damn little arrows and imprecise HTC touchscreens... downvoted you by mistake

[dmm]

That's fine so long as you trust all of the users on your system. Otherwise they could potentially get something running on port 22. Which, so long as you aren't actually sending auth info to 22, probably isn't a big deal.