Our db is hosted on Amazon. Our web server can connect to the db. Connections to the db are not allowed outside of the web server.
This creates a tunnel from my local machine to the web server:
ssh -N -L 3307:my-rds-db.us-east-1.rds.amazonaws.com:3306 ec2-my-web-server.compute-1.amazonaws.com
-N -- Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
An example using mysql:
$ mysql -uusername -h 127.0.0.1 -P 3307 -p
From man ssh:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given
host and port on the remote side. This works by allocating a socket to listen to port on
the local side, optionally bound to the specified bind_address. Whenever a connection is
made to this port, the connection is forwarded over the secure channel, and a connection
is made to host port hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be specified by enclosing the
address in square brackets. Only the superuser can forward privileged ports. By default,
the local port is bound in accordance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific address. The bind_address of
``localhost'' indicates that the listening port be bound for local use only, while an empty
address or `*' indicates that the port should be available from all interfaces.