Is it possible to limit egress from swarm containers to only certain ports or to deny certain ports? I’d like to just allow containers to access 80 and 443. If I alter iptables to drop a certain port for OUTPUT on the swarm manager and worker the container is still able to access those ports.

I found the reference for DOCKER-USER in iptables and this works:

sudo /sbin/iptables -I DOCKER-USER -p tcp -m multiport --dport 80,443,53 -j ACCEPT
sudo /sbin/iptables -I DOCKER-USER 2 -p udp -m multiport --dport 80,443,53 -j ACCEPT
sudo /sbin/iptables -I DOCKER-USER 3 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -I DOCKER-USER 4 -j DROP