If you're tunneling through SSH, the incoming connection will be on a user defined port not 5900, as is usual for VNC. SSH will then pass the connection to 5900 internally.
If you have iptables drop all incoming tcp/udp with a source address of anything and destination port of 5900, you will arrive at the following set of circumstances.
1. Any connections coming in to the user defined port using VNC over SSH will be accepted.
2. Any connections just using VNC to the standard port, will be dropped.
3. Any connections to the user defined port, using just VNC will not complete, as SSH will reject them.