A resposta de Kyle Smith está correta com um pequeno aviso: esta regra deve ser colocada antes de qualquer outra regra FORWARD:
iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- [CONTAINER_IP] anywhere tcp dpt:smtp
RH-Firewall-1-INPUT all -- anywhere anywhere
/etc/sysconfig/iptables
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
/* Block outgoing 25 port for containers */
-A FORWARD -p tcp --destination-port 25 -s [CONTAINER_IP] -j DROP
/* Main config */
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT