vncserver -localhost and ssh tunneling
-localhost option is telling the VNC server to bind only to the loopback interface, so that you can only connect to the VNC server from the machine it's running on. This means that anyone trying to break into your VNC session would have to be able to get on that particular machine. Without
-localhost, your VNC server would accept non-local connections, so an attacker could use another machine to try to break into your VNC session.
If you're going to use
-localhost, then you should be passing
-L 5900:localhost:5901, not
-L 5900:vnc.machine:5901, since your VNC server is listening only on the loopback (localhost) interface.
jjlin's answer covers troubleshooting, but to really make it secure you should also pass
-nolisten tcp to
vncserver. This ensures that there won't be an open TCP listener on the
X side of things.