An SSH tunnel via multiple hops

You basically have three possibilities:

1. Tunnel from localhost to host1:

   ssh -L 9999:host2:1234 -N host1
   

   As noted above, the connection from host1 to host2 will not be secured.

2. Tunnel from localhost to host1 and from host1 to host2:

   ssh -L 9999:localhost:9999 host1 ssh -L 9999:localhost:1234 -N host2
   

   This will open a tunnel from localhost to host1 and another tunnel from host1 to host2. However the port 9999 to host2:1234 can be used by anyone on host1. This may or may not be a problem.

3. Tunnel from localhost to host1 and from localhost to host2:

   ssh -L 9998:host2:22 -N host1
   ssh -L 9999:localhost:1234 -N -p 9998 localhost
   

   This will open a tunnel from localhost to host1 through which the SSH service on host2 can be used. Then a second tunnel is opened from localhost to host2 through the first tunnel.

Normally, I'd go with option 1. If the connection from host1 to host2 needs to be secured, go with option 2. Option 3 is mainly useful to access a service on host2 that is only reachable from host2 itself.

There is an excellent answer explaining the use of the ProxyCommand configuration directive for SSH:

Add this to your ~/.ssh/config (see man 5 ssh_config for details):

Host host2
  ProxyCommand ssh host1 -W %h:%p

Then ssh host2 will automatically tunnel through host1 (also works with X11 forwarding etc.).

This also works for an entire class of hosts e.g. identified by domain:

Host *.mycompany.com
  ProxyCommand ssh gateway.mycompany.com -W %h:%p

Update

OpenSSH 7.3 introduces a ProxyJump directive, simplifying the first example to

Host host2
  ProxyJump host1

OpenSSH v7.3 onward supports a -J switch and a ProxyJump option, which allow one or more comma-separated jump hosts, so, you can simply do this now:

ssh -J jumpuser1@jumphost1,jumpuser2@jumphost2,...,jumpuserN@jumphostN user@host