Scenario: You're at home, and you want to connect to a mysql server on the other side of a firewall. There is a machine with ssh open on it that you can use as a gateway.
ssh -L 3307:domain.name.of.mysqlserver:3306 firstname.lastname@example.org
This will open a tunnel, listening on localhost:3307 and forwarding everything to mysqlserver:3306, and doing it all via the ssh service on the gateway machine.
This example shows us specifying port 3307 on the local end of the tunnel; I did this because I run a MySQL server on my home machine, so I can't re-use the default MySQL port.
You'll now have a terminal open on the gateway machine, but you don't need it for this procedure, so set it aside.
mysql -u username -p -h 127.0.0.1 -P 3307 databasenameIn other words, mysql thinks it's connecting to localhost, but on a different port. In fact, the connection is being made securely to the remote mysql server, via the gateway machine and the local "mouth" of the ssh tunnel on your own machine.