A página man do sshd_config tem tudo:
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The available
options are yes (the default) or all to allow TCP forwarding, no
to prevent all TCP forwarding, local to allow local (from the
perspective of ssh(1)) forwarding only or remote to allow remote
forwarding only. Note that disabling TCP forwarding does not
improve security unless users are also denied shell access, as
they can always install their own forwarders.
No seu caso, você provavelmente precisará de:
Match User user1
GatewayPorts yes
AllowTcpForwarding remote
PermitOpen 127.0.0.1:12345
e possivelmente PermitOpen é irrelevante para o encaminhamento remoto de portas.