Say the target machine, 'bob', has a private IP address. Since it is behind NAT, it is not accessible from the Internet. I'd like to SSH to it from 'alice', a machine with a public IP address somewhere on the Internet. Under ordinary circumstances, this would not be possible. But if I have access to a "jump host" (a dual-homed machine that can access both 'bob' *and* 'alice') -- call it 'jump' --, I can set up port forwarding on 'jump' to accomplish my objective.
Typically, a high-numbered port (such as 63342) will be selected, and 'jump' will be configured to forward incoming SSH connections on this port to port 22 on 'bob'. This is easily accomplished using either 'socat' or 'xinetd'.
For socat, see:
man socat... and HINT
socat TCP-LISTEN:80,fork TCP:[target_ip_address]
For xinetd, see: azouhr's blog entry on port forwarding with xinetd
Performance note: a kernel developer recently told me that, since 'socat' and 'xinetd' operate in userspace, at least two context switches per forwarded packet are performed. This has an adverse effect on the throughput and latency of connections made over forwarded ports. This would not be an issue with SSH, but I might want to think twice before attempting to pipe major traffic over a jump host in this way.