An SSH tunnel provides an encrypted channel based on the SSH protocol.
The SSH tunnel is a form of tunneling protocol in which TCP traffic originating and meant to certain TCP ports is transferred in packets labeled with completely different port numbers. The actual source and destination ports are transferred in the payload of the packets.
For example, a tunnel between TCP port 1234 on the host machine and 4321 on the destination machine can be achieved with:
[me@host]$ ssh -L 1234:localhost:4321 me@destination
Where the localhost parameter defines the address to which the port will be bound on the host machine. In other words, traffic destined to localhost:1234 will be transferred over the ssh connection and given to the destination machine as if it had arrived at port 4321 on the destination machine.
An SSH tunnel allows for the transfer of unencrypted traffic over a secure (encrypted channel). All traffic passes through the single TCP connection between an ephemeral port on the host machine and the port 22 (or another port if ssh is running on a non-standard port). And it is treated as any other SSH traffic, and encrypted with SSL/TLS accordingly.
SSH tunneling is often used to bypass limitations with NATs and firewalls, which may limit the access to certain ports on a destination machine.
A reverse SSH tunnel can be achieved with -R, for example:
[me@host]$ ssh -R 1234:localhost:4321 me@destination
Will have the effect that traffic directed to localhost:1234 on the destination machine will be passed to the host machine as if it had arrived on port 4321 on the host machine.
