Hello,
1) In order to disable iptables in VE you can use vz.conf/<veid>.conf files or vzctl. Look at default vz.conf:
...
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
...
It means, that this modules and appropriate rules/targets will be available in VEs. Just do
and no iptables will be available in VEs.
2) As concerns configuration options. Yes, there can be different problems, that you pointed. You can fill bugs in bugzilla and some time these bugs will be fixed!
Thanks!