Successfully SCPed a file to my laptop from a VirtualBox Ubuntu guest running OpenSSH on the standard SSH port but which is port-forwarded to a non-standard port via VirtualBox’s NAT feature, with the host OS on a firewalled workstation running OS X, to which the laptop connected via SSH tunneling through another Ubuntu server configured to allow SSH through said firewall. In other words: laptop → real Ubuntu server → firewalled OS X workstation → virtual Ubuntu server. And amusingly, the file in question was the OS X installer for the latest version of VirtualBox. It has been a fun morning!