# accept traffic to the normal ssh port
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# accept traffic on the port kippo is listening on
iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT
# direct traffic inbound on port 22 to port 2222
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222
Make sure also to add an ACCEPT rule for traffic to whatever port sshd is actually bound to.
That's fine so long as you trust all of the users on your system. Otherwise they could potentially get something running on port 22. Which, so long as you aren't actually sending auth info to 22, probably isn't a big deal.