Might sound silly..
I thought I would just apply an ACL to the NAT rule, but the bugger says no.
Trying to lock this :
ip nat inside source static tcp 192.168.3.10 3389 interface GigabitEthernet0/0 3389
Down to only permitted external addresses (for obvious reasons)
Been a long day, so might just be missing the obvious.
If you don't care about egress traffic, then you don't need to apply any access-list and it would allow everything going outbound.
However, you can configure ACL that only permit 192.168.3.0/24 to go outbound and apply it on gig0/0 on the outbound/egress direction. Use any unique ACL number (174 is OK) as 175 has been used for NAT statement.