ssh(1) -TN -R20202:localhost:2568 ssh-tunnel@starbeamrainbowlabs.com
OpenSSH SSH client (remote login program)
-T      Disable pseudo-tty allocation.
-N      Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2
        only).
-R [bind_address:]port:host:hostport
        Specifies that the given port on the remote (server) host is to be forwarded to the given host and
        port on the local side.  This works by allocating a socket to listen to port on the remote side,
        and whenever a connection is made to this port, the connection is forwarded over the secure
        channel, and a connection is made to host port hostport from the local machine.

        Port forwardings can also be specified in the configuration file.  Privileged ports can be
        forwarded only when logging in as root on the remote machine.  IPv6 addresses can be specified by
        enclosing the address in square braces.

        By default, the listening socket on the server will be bound to the loopback interface only.  This
        may be overridden by specifying a bind_address.  An empty bind_address, or the address ‘*’,
        indicates that the remote socket should listen on all interfaces.  Specifying a remote bind_address
        will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

        If the port argument is ‘0’, the listen port will be dynamically allocated on the server and
        reported to the client at run time.  When used together with -O forward the allocated port will be
        printed to the standard output.
ssh connects and logs into the specified hostname (with optional user name).  The user must prove his/her
identity to the remote machine using one of several methods depending on the protocol version used (see
below).

If command is specified, it is executed on the remote host instead of a login shell.
source manpages: ssh