How to configure persistent packet filtering (SMTP, Telnet) on 3 Linux Ubuntu instances on docker? IP Tables rules do not apply or are too restrictive

Problem: I have to configure 3 Linux instances that run on docker containers on OpenStack. Routers: Rout, Pout, Mout Rout - should block SMTP & Telnet connections that come from HostR1 on interface sw0.4 and try to go outside the LAN/station (i.e. any other interface) Pout - should block any connections coming from HostP1 trying to access Mout on port 9139 that runs a python tracker script (UDP) Mout - should block ALL external connections (i.e. IPs outside the station) toward HostM1 except icmp and ssh. ! Important: Do not block connections and answers initialized by and towards HostM1. Use stateful rules (Connection tracking)! Mout is connected to Rout on interface sw0.5 and Rout is connected to MainHost on interface to-host. MainHost is also connected to Pout on interface or-pout. My solution which does not work: On Rout: up iptables -A FORWARD -s 10.26.102.67 -p tcp --dport telnet -j REJECT up iptables -A FORWARD -s 10.26.102.67 -p tcp --dport 25 -j REJECT iptables -L -n -v: Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 60 REJECT tcp -- * * 10.26.102.67 0.0.0.0/0 tcp dpt:23 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 10.26.102.67 0.0.0.0/0 tcp dpt:25 reject-with icmp-port-unreachable On Pout: up iptables -A FORWARD -s 10.26.102.194 -p udp -d 10.26.102.66 --dport 9123 -j REJECT up iptables -A FORWARD -s 10.26.102.194 -p udp -d 10.26.102.129 --dport 9123 -j REJECT up iptables -A FORWARD -s 10.26.102.194 -p udp -d 172.30.139.245 --dport 9130 -j REJECT up iptables -A FORWARD -s 10.26.102.194 -p udp -d 172.30.139.241 --dport 9130 -j REJECT On Milano: -no solution yet The commands seen above on Rout and Pout are in a .conf file which apply on reboot or by using: ifdown --force -a && ifup -a. ifdown-ng is already installed & I can't install no other packages on these instances because my instances will break. I can see that the first rule on Rout rejected some packages but the checker I am using still says: WARNING: some required outbound traffic is blocked (try to remove some rules)!