I indeed solved it for now in a way like this - tmate makes ssh connections to internet servers, so I blocked outbound Traffic to SSH Ports via iptables ;-)
iptables -A OUTPUT -p tcp --dport 22 -j DROP
but you have to be aware, that you will receive all keystrokes typed into the webinterface while the traffic was blocked.
So unblock by something like
iptables -D OUTPUT -p tcp --dport 22 -j DROP && vi
or something like this, to not allow the commands into a Shell.
Nevertheless, some tmate'ish solution would be great.