Credit goes to Pentestmonkey for the majority of this page, copied here for convenience and completeness sake.
// SSH Tunneling //
// socks proxy\Dynamic // -d //
Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
Command line:
ssh -D 127.0.0.1:1080 10.0.0.1
~/.ssh/config:
Host 10.0.0.1 DynamicForward 127.0.0.1:1080
You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:
tsocks rdesktop 10.0.0.2
// Local port forward // -l //
Example
The service running on the remote host on TCP port 1521 is accessible by connecting to 10521 on the SSH client system.
Command line:
ssh -L 127.0.0.1:10521:127.0.0.1:1521 user@10.0.0.1
~/.ssh/config:
LocalForward 127.0.0.1:10521 127.0.0.1:1521
// Remote Port Forward // -R //
The SSH server will be able to access TCP port 80 on the SSH client by connecting to 127.0.0.1:8000 on the SSH server.
Command line:
ssh -R 127.0.0.1:8000:127.0.0.1:80 10.0.0.1
~/.ssh/config:
RemoteForward 127.0.0.1:8000 127.0.0.1:80
// Netcat Relays //
Create a FIFO
mknod backpipe p
Listener to Client:
nc -lp <port> 0<backpipe | nc <TarIP> <port> | tee backpipe
Listener-To-Listener:
nc -lp <LocalPort> | 0<backpipe | nc -lp <LocalPort2> | tee backpipe
Client-To-Client:
bc <PrevIP> <port> 0<backpipe | nc <NextIP> <port2> | tee backpipe
File PUSH (client -> listener)
nc -lp <port> > <outfile>
nc -w3 <tarIP> <port> < <infile>
File PULL (listener -> client)
nc -lp <port> < <infile>
nc -w3 <tarIP> <port> > <outfile>