A typical scenario is that you need to access something (running
on a port) on a remote machine as if you were there. For instance,
the web server, mail server, or db server on that machine may only
allow local connections, but you temporarily need access from afar.
As long as you can ssh to the remote box, you should be able to
set up a tunnel (remembering to tear it down when you’re finished).
For example, you configure your router firewall to NAT ssh
connections, but nothing else. Thus you gain fairly decent security,
easy configuration, and the ability to temporarily access most
other things via a simple one-liner.
ssh -f user@remote-address -L 3080:localhost:80 -N
Then point your local browser at “http://localhost:3080/” and you
should see whatever would have been served by the remote
machine at “http://localhost:80/”. Note that in that one-liner,
“localhost” is telling the remote host which machine is the target
of the tunnel. For example, in the same locked-down scenario,
I may want to access the web interface of the router, which
doesn’t provide direct ssh nor external access to :80.
ssh -f user@remote-address -L 3081:internal-router-address:80 -N