A SSH tunnel provides an encrypted tunnel using a SSH protocol connection. It can be used to exchange data over a network through an encrypted channel or to bypass some firewall restrictions.
To set up a SSH tunnel, a given port on a machine need to be forwarded. Ports can be forwarded in three ways: local, remote or dynamic.
Local
Say you’re on a private network which doesn’t allow connections to a specific server. To get around the problem, you can create a tunnel through a server which is not on your private network:
ssh -L [local-port]:[remote-host]:[remote-port] user@remoteserver
-L stands for local port forwarding; you’re forwarding local port 9000 to [remote-host]:[remote-port]
Remote
Say you need to give someone access to your client machine over an encrypted tunnel. Before establishing a connection your need to edit /etc/ssh/sshd_config, add GatewayPorts yes and restarting sshd.
ssh -R [remote-port]:localhost:[local-port] user@remoteserver
Dynamic
In this case, port forwarding turns your SSH client into a SOCKS proxy server. Every program need to be configured to use the proxy server. SOCKS is a protocol that redirects every Internet connection through a proxy server:
ssh -D 1080 [server]
1080 is the standard SOCKS port but you can use any port number; the SOCKS proxy will stop when you close your SSH session.