ssh -g -L 6666:www.google.com:80 dolio.lh.net

ssh -R 6666:www.google:80 dolio.lh.net

Explanation

ssh -g -[L|R] <source port>:<destination host>:<destination port> <hostname>

The -L option always creates the listen port (source port) local to where the command is being run, regardless of the final hostname parameter of the command. That is why dolio.lh.net is used in the above example. I wanted to illustrate that this parameter has no bearing on the source or destination of the forward. The hostname parameter does dictate the endpoint of the secure channel. We will cover this topic shortly.

The -R option always creates the listen port (source port) on the hostname machine, regardless of where the command is being run. Depending on the configuration of SSH on the hostname machine, it may only allow local connections to the port forward. If this is the case, it means that in the above example, only network connections originating from dolio.lh.net are able to connect to the port forward. (To configure the SSH dæmon to allow remote hosts to connect to a remote forward, see the GatewayPorts keyword in the sshd_config manpage.)

The -g option allows remote hosts to connect to the listen port of the local forward. Omit this option if you will only be connecting to the port forward from the localhost. Otherwise, this option may be a security concern if your source host is not behind a firewall.

Important: The more subtle aspect of SSH port fowarding is that the secure channel is always between the machine on which the command is being run and the hostname machine. So, in both of the above examples, traffic between the source host and the www.google.com machine is insecure.

Secure Port Forwarding using SSH

Ideally, you want all of your traffic through the port forward to be through a secure channel. There are only certain conditions under which you can achieve this ideal.

ssh -g -L 6666:dolio.lh.net:80 dolio.lh.net

Local port forwarding can only be made secure if the destination host matches the hostname parameter of the command. So, obviously, you can only create a secure local forward if you have an account on the destination host. In the above example, a secure channel is created between localhost and the dolio.lh.net machine.

ssh -R 6666:dolio.lh.net:80 dolio.lh.net

In this example, a secure remote forward can only be achieved if the source and destination of the port forward are on the same machine. To make this secure, the command must also be run on the dolio.lh.net machine. (Recall that the starting point of the secure channel is always the machine on which the SSH command is run.)

So, secure remote forwards are not that useful. The -R option of SSH is more about utility than security, so don't worry about creating secure remote forwards.

Notes

The source port must be greater than 1024 unless you have root privileges on the source host. There is no restriction on the destination port.