ProxyJump allows a SSH connection to be used as a proxy for another SSH connection.
It is thus possible to use a host as a bastion before reaching other hosts.

For example, to reach the host remote.restricted-domain.local using bastion.domain.local as a proxy:

ssh -J user@bastion.domain.local user@

If you have an internal DNS server, you can use the DNS name of your host.
It’s the proxy machine that will resolves it for you!

It is also possible to use multiple proxies:

ssh -J user@bastion1.domain.local,user@bastion2.domain.local user@remote.restricted-domain.local

The sshd service on the proxy machine must be configured with the following parameter:

AllowTcpForwarding yes

 You can also restrict the port reachable by the SSH connection jumping the proxy machine:

PermitOpen *:22