How to restrict outgoing ssh traffic only to certain hosts w/o iptables

Add a valid route to your targets and a more generic route to null. Then, only the defined routes to your targets will be available for the users. The problem is this is available for all the users

You might use something like this

#! /bin/sh

MSG='********************************
1 = host1
2 = anotherhost
3 = host3

0 = exit
********************************'

host=none

while test none = "$host"
do
  echo "$MSG"
  echo -n 'your choice: '
  read choice
  case "$choice" in
  1) host=host1.domain.com;;
  2) host=anotherhost.xy.de;;
  3) host=just.go.here;;
  0) exit;;
  esac
done

ssh $host

as the login shell of your ssh users on the jumphost. If you save it as /usr/bin/ssh-choice, don't forget to add /usr/bin/ssh-choice to /etc/shells.

TomTomTom

I am not sure about the setup, but maybe disabling shell login on the jump host and allowing port forwarding to specific hosts only for specific users and then exercising -J option (ProxyJump) of openssh could be a solution here? The Match directive of the sshd_config could be of help here.

Responding to an earlier comment:

If you need shell access then you likely need immutable and empty .ssh/config in users' home directories, all of the allowed hosts listed in /etc/ssh/ssh_config and catch all Host directive which redirects to an always failing ProxyCommand (which may also print coaching message to stderr, so the user can see it).

Something along the lines:

Host host1 host1.example.com
    <whatever directives may be needed here if any>

Host host2 host2.example.net
    <whatever directives may be needed here if any>

Host *
    ProxyCommand /bin/false

Remove everything but the jumphost from the routing table of the host or put the firewall that prevents connections somewhere other than the host itself.

You could hosts.allow and/or hosts.deny on the target machines.