I want to learn more about hardening Webservers and currently stopped on the topic Jumphost. So for me it seems like a Jumphost for example is connected to a webserver via VPN and the only server who gets access via VPN and SSH inside the VPN, so every other request with an unkown IP via SSH or VPN gets blocked via iptables for example.
Do I understand the concept of a Jumphost right or are there other advantages which I should take care of?
Jumphosts are whitelisted "gateway" machines which have the privilege to access certain services. You can reach your target using them. Everything else is implementation detail.
You can create jumphosts using proxy, ssh, vpn or any combination of them.
Very simple jumphost design can be implemented using ssh port forwards.
Jumphosts aks Bastion servers are part of the "security by obsecurity" approach, they are usually part of the infrastructure but outside of the assumed attach vector. For your example of using webhosts, all webhosts would only accept requests via a list of specific servers, webhosts are easily found on the internet as they expose ports and host services, like a website. The Jumpbox's only purpose is to provide access to those webhosts, and does NOT offer any public services.
Additionally, jumpboxes are usually more secure with Multi-Factor Authentication in forms of Google Auth/Password/Kerberos Ticket/One Time Password/CAC, etc etc. Also typically webservers should not have internet access and are not directly accessible via the internet (only behind a load balancer) so you NEED a jump box to access them.
Other examples would be using a dial-up modem to access a router, out of band access using a phone number that isn't listed on the company contact page.
See more questions about bastion hosts on SecurityExchange
A jump host is more a gateway into a secure network than a security feature itself. If you have for example a machine with a database server, you may have a firewall that it is not reachable from the internet but only from your servers, which use it. When you need to ssh into it, you first ssh into some jumphost and then "jump" from there onto the database server. The jumphost may be just the webserver, which has both ssh open for the internet and access to the database server LAN or even a dedicated machine with additional audit logs and more secure configuration with i.e. fail2ban enabled.
So in general, a jump host is not a security feature, but a entry point into a secure network. As Jacob Evans said, you have the additional security by obscurity, that somebody who got access to your jumphost may not be able to find what's the next hop. While it surely helps when somebody got that far, you should rather secure your network in a way, that nobody can break into the first host, anyway.
