The OpenVZ wiki has a nice script for firewalling an OpenVZ node and it’s containers. It creates a service and configures iptables to block all traffic to the node (except the ports you specify), but allow all traffic through to the containers, so that they can manage their own firewall. It also allows the container’s firewalls to be managed on the node through a simple config file.