-L [bind_address:]port:host:hostport]

# Forward local :8000 to :80 on the host connected to
$ ssh -L 8000:localhost:80 host

# Forward local :9000 to :9000 on a host the connected to host can reach
$ ssh -L host

-R [bind_address:]port:host:hostport]

# Have :8000 on the remote host forward all connections to localhost:80
$ ssh -R 8000:localhost:80 host

# Have :8000 on the remote host forward all connections to Google
# (useful for testing)
$ ssh -R host

-D [bind_address:]port

# Set up SOCKS proxy listening on localhost:5000. Configure
# FoxyProxy for SOCKSv4 or SOCKSv5 on localhost:5000 and you have an
# instant HTTP proxy server! Be sure to enable remote resolution so
# DNS happens on the remote host.
$ ssh -D 5000 host


MyEnTunnel is a Windows application that maintains persistent SSH tunnels. Install it as a startup application and watch as your tunnels always stay connected.

SSH Server Configuration

When configuring an SSH server on a new machine, ensure that it has the following items in the config file (typically /etc/sshd_config):

PermitRootLogin no

# disable passwords and only allow more secure authn, like pubkey
PasswordAuthentication no
ChallengeResponseAuthentication no

# whitelist specific users
AllowUsers gps

# whitelist groups
AllowGroups foo

For personal (and possibly production machines):

X11Forwarding yes