There are some protocols that can’t be NAT’d or proxied without a protocol awareness. For example FTP (there are others see the ip_nat_… modules on Linux).
What I’d love to see is an addition to the publish option that allows the helper to be specified. For example:
docker run -p 2222:21/tcp/ip_nat_ftp -d myftpserver
This would then allow the required rules to be added to the iptables ruleset rather than being forced to ‘manually’ add rules after containers have started. Almost at the point of doing a roll-my-own firewall but that involves lots of reading the docs to find the right place(s) to hook into.