How secure is the backend (private) network?

@basilisk:

Is my linode's backend network connection visible to other linodes on the backend network? I.e. could a rogue linode user scan all 192.168.x.x backend IPs for open ports, memcache daemons, MySQL servers with no root password etc. and potentially wreak havoc?

Yes, just like they could with your public address.

@basilisk:

If so, can I configure iptables to prevent that?

Yes, just like you can with your public interface.

Thanks - so I'd then be wondering how other users handle that in practice, as things look a bit different on the backend than on the public interface, for example memcached has no built-in password protection, and you can't tunnel it as that would slow it down quite significantly.

So would IP filtering be the method of choice there, or are there other options? Filtering by specific IPs would of course require that whenever I add/remove nodes to my cluster that I add/remove rules from every other node's ip tables. Or can I get an IP range and then filter by mask?

You could use IPSec with AH and a "require" policy. If you've got the time and the expertise.

Or any other VPN solution, if you don't mind the overhead of encryption you don't need.

a start would be to deny all traffic from the internal nic but your own friendly ip, then move onto content filters/rules

A VPN tunnels is a ok idea, but mildly overkill.

The bridges on the hosts filter traffic to only allow your node to see traffic intended for it (to prevent you from going promiscuous).