I havn't needed to do it till today, but I effectively have a bastion-host/jump-host in to which I make an ssh connection before connecting to other devices. Most, if almost all, sessions are text based, so, ... not a problem. But now I require a web session and a gui session to a number of virtualized guests, which don't have exterior access, on the second hop.
The cheat would be to make a network connection to the guests in question, but, well, that would be cheating, and would protections already in place.
Fortunately, on a related problem, I came across Scott's Weblog entry defining the solution for the same problem I was having, that of Accessing VNC Consoles of KVM Guests via SSH.
I have used port forwarding already, but only for single hops. The trick for multiple hops is to use the -g option [Allows remote hosts to connect to local forwarded ports] for the second hop. So stealing his syntax, here is the first hop:
ssh <:username>@<:remote host IP address or DNS name> \ -L <local port>:<remote FWD address>:<remote port>
Then on the second hop, a -g is added:
ssh <:username>@<:remote host IP address or DNS name> \ -L <local port>:<remote FWD address>:<remote port> -g
Scott provided another informative command to show listening ports on a KVM host:
netstat -tunelp | grep LISTEN