SSH tunnels are incredibly handy for any time you need to pipe a single connection from one place to another, in a secure fashion. One of the best reasons to choose a SSH tunnel over other options (such as a proper VPN) is that you can easily tunnel a port running on localhost without needing to reconfigure the daemon. You also do not need root access to set up a SSH tunnel, so long as a privileged port is not involved. For this example we'll tunnel the MySQL port so that we can access the database as though it was running locally, such as you might do in production.
mngrif@kosh:~$ ssh lennier.info -N -L 3306:127.0.0.1:3306
The first port listed is the local port to bind to. In this instance, it is not required as we want it to be the same, but there are plenty of reasons why you'd want it to be on a different port. The "-N" argument is so no command is executed on the remote machine, such as spawning a shell. It isn't needed for a tunnel. Additionally you can add on the "-f" argument which will background this ssh process, which might be handy for more permanent tunnels. If you use "-f", you'll need to kill the process once you're done, rather than just giving it a ^C.
Here's an example of this in action:
mngrif@kosh:~$ ssh lennier.info -N -f -L 3306:127.0.0.1:3306 mngrif@kosh:~$ mysql -u root -p -h 127.0.0.1 Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 51239 Server version: 5.5.36-MariaDB-1~wheezy-log mariadb.org binary distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> Bye mngrif@kosh:~$ ps x|grep ssh 15630 ? Ss 0:00 ssh lennier.info -N -f -L 3306:127.0.0.1:3306 mngrif@kosh:~$ kill 15630