First setup forwarding and IPTABLES on the pwned Server:
the first command enables forwarding and the second one adds a route with DNAT into the nat-table (chain prerouting). This is for routing the tcp port 666 from the internet (eth0) to localhost, so every incoming tcp-traffic on port 666 will be routed to localhost (even if there is no process listening). Looks bit weird but with the next step this makes sense.
Now if you are on a public connection in a café f.e. you don't want to be monitored. From here you can connect to the pwned server with ssh and simultaneously open a tunnel back to receive data from your victims:
Here you open up ssh and log in on the pwned server and simultaneously open up a backward tunnel to the local port 4711 where you can receive whatever your victim is about to send. This "connects" the remote "listening-local-port" 666 to your local port 4711!
The cool thing about that is, that the destination is only open on demand (when you've opened the tunnel) and otherwise only leads to localhost on the pwned server. You could chain some servers this way to add obfuscation and being a bit more anonymous while using a secure encrypted connection which is hiding your local IP
Easy as that happy hunting