-L [bind_address:]port:host:hostport]
# Forward local :8000 to :80 on the host connected to
$ ssh -L 8000:localhost:80 host
# Forward local :9000 to :9000 on a host the connected to host can reach
$ ssh -L 9000:foo.example.com:9000 host
-R [bind_address:]port:host:hostport]
# Have :8000 on the remote host forward all connections to localhost:80
$ ssh -R 8000:localhost:80 host
# Have :8000 on the remote host forward all connections to Google
# (useful for testing)
$ ssh -R 8000:www.google.com:80 host
-D [bind_address:]port
# Set up SOCKS proxy listening on localhost:5000. Configure
# FoxyProxy for SOCKSv4 or SOCKSv5 on localhost:5000 and you have an
# instant HTTP proxy server! Be sure to enable remote resolution so
# DNS happens on the remote host.
$ ssh -D 5000 host
MyEnTunnel is a Windows application that maintains persistent SSH tunnels. Install it as a startup application and watch as your tunnels always stay connected.
When configuring an SSH server on a new machine, ensure that it has the following items in the config file (typically /etc/sshd_config):
PermitRootLogin no
# disable passwords and only allow more secure authn, like pubkey
PasswordAuthentication no
ChallengeResponseAuthentication no
# whitelist specific users
AllowUsers gps
# whitelist groups
AllowGroups foo
For personal (and possibly production machines):
X11Forwarding yes