You'll need to use NAT functionality in iptables. It's documented here: Destination NAT with netfilter (DNAT). However, that doesn't cover port numbers. I've seen it working with just putting a port number behind the IP address, though.

I think that this will work:

iptables -t nat -A PREROUTING -p tcp -d 5.6.7.8 --dport 443 -j DNAT --to-destination 1.2.3.4:22

This, of course, assumes that 5.6.7.8 can reach 1.2.3.4:22. Regarding security, you'll probably see some clients trying to connect to SSH. If you have strong passwords on all accounts (or even better, pubkey authentication only), it should still be quite safe.

edit: I saw that this question is already answered on Server Fault: How can I port forward with iptables?

Do you login manually or does a service on an external machine X need to login to Machine A? For manual login you can do this:

1. You set the SSH-server on machine B to listen to port 443. Of course you need to setup the company firewall to direct external traffic for port 443 to go to this machine.
2. You login to machine B. Now you're on the local network, probably without firewall restrictions.
3. From machine B, login to machine A which has its SSH-server listening on port 22.

Given that you can set the firewall to direct traffic for port 443 to machine B, why can't you set the firewall to listen to port 22 or port 54827 (or any random port number) and route that to machine A?

Another option is to tunnel SSH traffic through B to A.

Security is as good as SSH gets.

Unless I've misunderstood what you need to do, it's fairly simple to achieve what you want, if you control B and can configure the SSH daemon on B to listen on port 443 rather than the standard port 22 and set any firewall software on B to allow inbound connectivity to port 443 as long as any traffic to port 443 is allowed outbound from the network you use.

If B is a Linux system, getting it to listen on port 443 for SSH connections will likely require a minor update to /etc/ssh/sshd_config. Look for the line below in the file:

#Port 22

Remove the "#", which signifies what follows will otherwise be treated as a comment, from the beginning of the line. Change "22" to "443" and then restart the SSH daemon.

On the client system, you use the -L option for SSH, which will result in local connections, i.e. ones to the system from which you initiate the SSH connections, being forwarded to a port on some other system from the SSH server to which you connect.

 -L [bind_address:]port:host:hostport
             Specifies that the given port on the local (client) host is to be
             forwarded to the given host and port on the remote side.  This
             works by allocating a socket to listen to port on the local side,
             optionally bound to the specified bind_address.  Whenever a con‐
             nection is made to this port, the connection is forwarded over
             the secure channel, and a connection is made to host port
             hostport from the remote machine.  Port forwardings can also be
             specified in the configuration file.  IPv6 addresses can be spec‐
             ified by enclosing the address in square brackets.  Only the
             superuser can forward privileged ports.  By default, the local
             port is bound in accordance with the GatewayPorts setting.  How‐
             ever, an explicit bind_address may be used to bind the connection
             to a specific address.  The bind_address of “localhost” indicates
             that the listening port be bound for local use only, while an
             empty address or ‘*’ indicates that the port should be available
             from all interfaces.

E.g., you could use a command like the one below to connect to port 443 via SSH on machine B and have it forward traffic to port 2222 on your local system to port 22 on A via port 443 on B.

ssh -p 443 -L 2222:1.2.3.4:22 myBacct@5.6.7.8

The -p stands for "port" and tells SSH that you need to connect to the destination system, which is B at 5.6.7.8 on port 443 rather than the standard port of 443. The -L tells SSH to create a local listening port on the system from which you are establishing the connection. I put "2222" in the command line, but the number is arbitrary; just put something greater than 1,024 and less than 65,536. The -L 2222:1.2.3.4:22 is also instructing the SSH program on the system from which you are establishing the SSH connection to B to forward any traffic it receives on port 2222 through the SSH tunnel it has established with B. And when it leaves the other end of the tunnel, B sends it on to A at 1.2.3.4 on port 22. So from A's perspective, the SSH connection to it is originating from B.

Then on the system from which you are establishing the connection, you need to initiate another SSH connection, but this time to port 2222 on itself. You can do that as follows:

ssh -p 2222 myAacct@127.0.0.1

Now your system connects to the nonstandard port of 2222 on the localhost address for itself, i.e., 127.0.0.1. The first SSH connection you set has the SSH client software listening on port 2222 for connections and then forwarding the traffic through an SSH tunnel to port 443 on B where it is then sent onwards to port 22 on A. When you initiate the connection the password prompt you will receive, if you use password authentication, will be for machine A.

The firewall on the network from which you originate the first SSH connection sees only an outbound connection to port 443 on B. But within the connection to port 443 on B is an encrypted tunnel that is routing all traffic to port 2222 on your SSH client to port 22 on A.

I use a similar approach to transfer files to/from an SSH server, A, which is in a restricted network zone where the only inbound SSH connectivity allowed must come through a bastion host, B. Note: if you also need to perform file transfers using secure copy (SCP), you need to use an uppercase "P" with SCP to specify the port, whereas with ssh you must use a lowercase "p".

If you aren't using a Linux or OS X system as your client SSH system, you can use a similar port forwarding approach with PuTTY or other SSH client software.