Tell socat to listen to connections from a single IP address

You can add the range option to the socat listening address:

socat TCP-LISTEN:22,fork,range=8.8.8.8/32 TCP:192.168.0.15:5900

Or you can add the tcpwrap=vnc_forward option and define global rules for that vnc_forward service as per hosts_access(5).

That won't stop the connections from reaching socat, but socat will ignore them (with a warning) if they don't come from 8.8.8.8.

Something like this works for me to make socat listen on localhost only.

socat TCP-LISTEN:22,fork,bind=127.0.0.1 TCP:192.168.0.15:5900

So you could try this.

socat TCP-LISTEN:22,fork,bind=8.8.8.8 TCP:192.168.0.15:5900

Most people use firewalls for that. Have a look at iptables to restrict traffic to port 22 i.e.:

iptables -I INPUT -p tcp '!' -s 8.8.8.8 --dport 22 -j REJECT

Or, if the firewall is already restrictive, allow just one address:

iptables -A INPUT -p tcp -s 8.8.8.8 --dport 22 -j ACCEPT

Please note that this is not a full configuration for an iptables firewall, you first need to setup a proper configuration before using the above.