SSH tunnel examples:

To access a box (dest_host) behind a router/firewall (tunnel_support_host) of which you are the owner. The starter of tunnel come from Internet (ssh client)

ssh -C -L 2222:dest_host:7711 tunnel_user@tunnel_support_host sleep 60
ssh	-C	-L 2222:dest_host:7711	tunnel_user@tunnel_support_host	sleep 60
ssh client (local) on the host coming from Internet	Compression of all data through the tunnel	Specifies that the given port (2222) on the local (client) host is to be forwarded to the given host (dest_host) and port (7711) on the remote side.	Tunnel user and host support	The command to be executed on support host to keep alive the tunnel. When the command ends, the tunnel die!

To access a box (local) behind a router/firewall of which you are NOT the owner. The starter of tunnel is the host behind the firewall, and it open a connection to tunnel_support_host (a box of which you are the owner). So you can connect to tunnel_support_host and to be forwarded to the box behind the firewall.

ssh -C -R 7777:localhost:22 tunnel_user@tunnel_support_host sleep 60
ssh	-C	-R 7777:localhost:22	tunnel_user@tunnel_support_host	sleep 60
ssh client (local) on the host behind the router/firewall	Compression of all data through the tunnel	Specifies that the given port (7777) on the remote host (tunnel_support_host) is to be forwarded to the given host (localhost) and port (22) on the local side.	Tunnel user and host support	The command to be executed on support host to keep alive the tunnel. When the command ends, the tunnel die!

PS: On some Linux box, to force the sshd to bind on public IP, you must set the GatewayPorts option to yes.

Now a real case as exercise!

Requirements:

• private Linux box at home (with firefox) behind a firewall/NAT (called HLinux)
• public router/firewall/NAT at home with ssh access (called FW)
• XP box in office with cygwinX (could be replaced by a Linux system) behind a firewall of which you don't have control! (called PX)
• an account called sweet_home on HLinux
• an account called user_FW on FW
• an account on PX

Purpose:
use in office the browser (firefox) of your HLinux box!

You could do all the work in 3 steps:

1. Open a SSH tunnel to HLinux box so you can access the sshd server at home:

   on PX box run the following command from a shell:

   #> ssh -C -L 2022:HLinux:22 user_FW@FW "echo -n Welcome at\ ; date ; sleep 3600 ; echo -n Bye at\ \ \ \ \ ; date"

   type the required password for user_FW (NB: you can use the RSA certificate exchange if you prefer) and the tunnel is on.
   This mean that all the traffic to your PX:2022 port is forwarded to HLinux:22 port, so from PX:2022 you can connect to your HLinux box!
2. Connect with a remote login to HLinux:

   open another shell and type the following command:

   ssh -XC -p 2022 sweet_home@localhost

   type the required password for sweet_home (NB: you can use the RSA certificate exchange if you prefer) and you are on HLinux in remote console.
   Note: you are attempting to connect to a local port but the server sshd of HLinux will answer to you!!!
   
3. Now check the display settings with the following command:

   #> echo $DISPLAY
   localhost:10.0

   the means that X11 display is forwarded back to your cygwinX server through SSH channel.
   Now from remote console run firefox and it will appear on your screen, good surfing on the Internet waves!