Um padrão seguro para uma instalação do OpenSSH terá GatewayPorts definido como no . Esta é precisamente essa restrição.
editar
Veja a diretiva PermitOpen :
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:
PermitOpen host:port PermitOpen IPv4_addr:port PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with whitespace. An argument of “any” can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted.