i have 3 machines on the network and want to be able to access them over rdp using a ssh tunnel. at the moment, i have set it up as following:

Code:
pc1 lan ip = 10.0.0.1 (the rdp port is still 3389 and windows firewall has opened 3389)
pc2 lan ip = 10.0.0.2 (the rdp port changed to 5788 and windows firewall is allowing 5788)
pc3 lan ip = 10.0.0.3 (the rdp port is still 3399 and windows firewall has opened 3399)
router forwarding 22 to 10.0.0.1 and ssh software listening on this machine
router forwarding 3389 to 10.0.0.1
router forwarding 5788 to 10.0.0.2
router forwarding 3399 to 10.0.0.3
ssh client forwarding 6770 to pc1
ssh client forwarding 6771 to pc2:5788
ssh client forwarding 6772 to pc3
i am able to use ports 3389/5788/3399 to rdp directly into each machine which works but ultimately i dont want to leave those ports. using ssh, i understand that i connect using port 22 via the router and thereon in, my ssh client opens 6770/6771/6772 which i can use to securely rdp into.

at this point can i:
-disable the 3389/5788/3399 forwarding to each of my machines on the router and just leave 22 open?
-change the windows firewall (in advanced settings) for each of the rules for rdp from "any computer" to "my subnet only"?

i'm thinking i can do the first, but not the 2nd?