First of all, I don't know a lot about NMap, but judging from the output produced, it hasn't scanned all your ports ('The 1598 ports scanned but not shown below are in state: closed'). I'd say it scanned 1601 ports - probably those corresponding to well-known services (FTP, HTTP,...) and a few extras commonly used for back doors, like the elite ports (somewhere in the 32 thousands, not sure where). As 8000 doesn't really fit into either of these, it probably didn't scan it. No doubt you can make it scan all ports, though there are 65k of them.
If you want to tunnel through SSH, the general incantation is:
ssh -L lport:rhost:rport -N rhost
...where you replace lport with the port you want to use on your local machine, rport with the one you are tunneling to on the remote machine, and rhost with the remote host name. The -N simply specifies that ssh shouldn't execute any command, and so doesn't open a shell on the remote machine as well. Something like ssh -L 8000:hostname:8000 -N hostname would probably do it for you. The tunnel persists for as long as the SSH command is running.You can then point your browser (or whatever) to localhost:8000 to do whatever it is you need to do. The merits of tunneling instead of allowing direct access are that you benefit from the security of SSH, which - despite weaknesses being announced (and fixed) recently - is pretty good.
In general, I'd recommend closing all ports on your machine that aren't essential to its running, which would include 8000 (use tunneling instead) and 25 (unless your machine needs to accept mail from the outside world). If you can put your machine behind a hardware firewall in addition to iptables, that's always a bonus as well.
