Hello I have a gre/ipsec tunnel between an office and a workshop.

I would like to secure all traffic that isn't for VNC from reaching the plant network.

What chain do I use?
Do I use src or dst port?

I use VNC a lot so I recognized that port number instantly!
As for which chain to use, the Input chain is for traffic that is inbound to the router and NOT passing through it (such as a WinBox or SSH connection to the router itself); the Output chain is for traffic that is generated by the router itself (for example an E-Mail that the router generates to notify you of something); and the Forward chain is for traffic that will come into the router and be forwarded somewhere else (the vast majority of your traffic). Therefore your filter should be in the Forward chain.

Here is a simple command that will accomplish what you want (obviously you would substitute the correct interface to block traffic)
add action=drop chain=forward comment="Drop anything that is not VNC." dst-port=!5900 out-interface=E3_102 protocol=tcp

Essentially this tells the router that any traffic that is on the interface E3_102 that is NOT on port 5900 should be dropped. You may want or need to add additional parameters to the filter. BTW, In my case the interface E3_102 is ether3 and is my 102 LAN which is actually my "public" WiFi. You will have to specify the correct interface for your case.