SSH is a wonderful tool. Not only does it allow secure remote access to your *nix box console, but it can also allow secure access to any of the services that box has to offer remotely even if the machine you are connecting from is behind a firewall.

First, The basics. Forwarding a port:

The above command will forward port 3306 (MySQL) on your remote machine to local machine on port 9090 (or whatever random unprivileged port that you choose). You would then be able to login the remote mysql server from your local machine all over SSH.

The command break down is simple. Replace "username" with the username you are going to login to the remote machine with.

The "-L" option specifies that you are forwarding a Local port. In the above example, you are forwarding the port to port 9090 on the localhost.

The machine you are connecting to is "remotemachine" This can be an IP address, or a resolvable domain name.

The above example will open an SSH session on the remote machine and it will stay open until you close it or logout. This can easily be changes to forward your smtp, http, or any other port you choose to over SSH.

This is all great, however scripting an interaction with that remote machine isn't overly pleasant with that SSH session hanging around waiting to be closed by you. In that case, let's have it connect, run our command, then close without us telling it to.

In the example below, we going to update a Debian/Ubuntu based machine over the internet. However the server we are getting our updates from only accepts SSH traffic publicly and all other ports are blocked by a firewall. Debian/Ubuntu repositories are usually served by Apache or another webserver so they tend to answer on port 80 only.

NOTE: I know this sounds like a nutty example, but I have actually been asked this before. Also it provides easy ghetto authentication to your package repository.

The above command/script is broken down like this:
We are connecting to the remote machine as "username."

Instead of having that pesky prompt stay open, we are going to fork this session into the background with "-f". From my experience, this has been the simplest way to get these tunnels to die once your command has completed.

The remainder of the command is the same as above except for the "sleep 5". The Sleep command is being run on the remote machine. This allows our local machine the ability to run the various apt commands in the remainder of the script that require it to interact with the remote machines.

Now for these particular commands to work, you'll need to setup your apt.sources file to update from your local machine instead of the remote machine. This is just an example, and that's another post for another time. Happy tunneling!