This site explains how to do that clearly and simply for Linux, OSX and Windows.
In case that site disappears:
The linux command is
ssh -L 2222:internal_host:22 username@gatekeeper.uni.edu
where -L means 'forward local port' (once connected to the gatekeeper);
2222 is the local port on your localhost (the machine you are sitting in front of right now).
username is your username on the gatekeeper machine (and it will probably ask you for the connected password unless you have set up ssh keys)
internal_host is the DNS name of the host on the closed network you are trying to connect to
22 is the port on the internal host that you are trying to connect to
gatekeeper.uni.edu is the public DNS name on the wider internet of the gatekeeper.
After running this command, trying to connect to port 2222 on your local machine is the same as trying to connect to port 22 on the internal host from the gatekeeper.
Windows users use putty and put Source=2222 and Destination=internal_host:22 .
nxclient users should then tell their client to connect to localhost:2222 (i.e. through the tunnel) and then log in to the internal machine as normal.
Setting up keys
On the client, run
ssh-keygen
(and accept the default options). Once that's finished,
ssh-copy-id username@server
will add your key to the server. That's it!
