There are three types of SSH tunnels, each of them is used in diffrent scenarios. Each involves and SSH server to redirect traffic from one port to another.
A local tunnel allows you to access local networks resources that aren't exposed to the internet. For example, let's you want access to a server at your office from your home. For security reasons, that server accepts connections only from the local network. But if you have access to a SSH server in that local network and you can access that SSH server from home, then you can create a local SSH tunnel to your home via the SSH server from your office and then you can access that wanted server like it were a server running on localhost.
The command for running a local tunnel is:
ssh -N -L local_port:remote_address:remote_port user@server_address
If we assume that we want to have the wanted server be available at your local
port 1234 and the SSH server address is example.com and your user on that server
is bob and the wanted server lives on the office local network at IP 192.168.0.111 port 4321,
then the command for running a local SSH tunnel would be:
ssh -N -L 1234:192.168.0.111:4321 bob@example.com
After running this command you will have the wanted server available at localhost:1234.
A remote tunnel makes local network resources available on a remote SSH server. For example, let's say you have server(http, email etc.) on your local machine but it cannot be accessed from the outside your local network and you also have access on a remote SSH server. Using a remote SSH tunnel you can make your local server available outside your local network via the remote SSH server.
The command for running a remote tunnel is:
ssh -N -R remote_port:local_address:local_port user@server_address
If we assume we have the local server available at your local port 1234 and the SSH server
address is example.com and your user on that server is bob and you want your local
server to be available at remote port 4321,
then the command for running a local SSH tunnel would be:
ssh -N -R 4321:localhost:1234 bob@example.com
After running this command you will have your local server available at localhost:4321 on the SSH server.
If you want to make the server available to everyone not just on the SSH server
(i.e. bind to 0.0.0.0 not 127.0.0.1) you have two options:
you can to set GatewayPorts to yes in /etc/ssh/sshd_config;
you can run create the remote tunnel on the local machine as specified above then you can create
a local tunnel on the remote SSH server with the -g option:
ssh -g -N -L 1234:localhost:4321 bob@example.com
A dynamic tunnel creates a SOCKS proxy that can then be used by clients(e.g. browsers) to access restricted resources.
For example, let's say you are connected to a public Wi-Fi network and you want to browse the web securely. If you have access to a SSH server, you can create a dynamic SSH tunnel (i.e. SOCKS proxy) from your local machine to that SSH server and then configure your web browser to use that tunnel.
The command for running a dynamic tunnel is:
ssh -N -D local_port user@server_address
Let's say we want to create the tunnel on local port 1234 and the SSH server name is example.com
and the user is bob.
Then the command will be:
ssh -N -D 1234 bob@example.com
Then you need to configure your browser to use localhost:1234 as a proxy.
For example, with chromium:
chromium --proxy-server=socks://localhost:1234
And after this all your traffic(done in the configured browser) will be secured by SSH
and will seem as comming from example.com to the sites you visit.
Another advantage of this setup is, for example, if you want to visit a website that is
blocked in your country now you can, assuming that example.com is hosted in a country
for which that website isn't blocked.