Let's say you have an important server Bulbasaur. You may want to restrict access to the SSH server to a few IP addresses as an extra layer of protection. We can then use a secure whitelisted server (jumphost or bastion) to relay our SSH connections:
ssh -J charmeleon.mydomain.net bulbasaur.mydomain.net
As we're connecting to Bulbasaur a lot, we may want to tell OpenSSH that we're using charmeleon as a jumphost for bulbasaur:
# ~/.ssh/config
Host bulbasaur.mydomain.net
ProxyJump charmeleon.mydomain.net
With this configuration in place, we can simply use ssh bulbasaur.mydomain.net. This also works for scp, rsync and everything else that uses your local SSH client.
Working with legacy
On versions of OpenSSH before 7.3 the ProxyJump option is not available.
In that case you'll have to use an alternative configuration using the ProxyCommand option to specify the exact command OpenSSH has to execute to set up the tunnel.
Host bulbasaur.mydomain.net
ProxyCommand ssh charmeleon.mydomain.net -W %h:%p
Oops: wildcards
Watch out when you're using wildcards in your ssh config:
Host *.mydomain.net
ProxyJump charmeleon.mydomain.net
Using ssh server.mydomain.net now causes a loop as the connection to the jumphost also matches the block and tries to use the jumphost.
An easy way to solve this is an alias for the jumphost:
Host charmeleon
HostName charmeleon.mydomain.net
Host *.mydomain.net
ProxyJump charmeleon