The simple answer is "it can only send packets (to the client behind the NAT router) to the port that sent the packet". This is largely but not entirely correct though.
The answer depends on the way IPTables is set up, the port in question and the modules used. Simple nat devices would only allow mapping traffic to the same port that it came from, however not all devices are so simple. In linux and other OS's you get "Stateful firewalls", where typically uses "Established and related" ports, along with various modules which look at connection states - so for example if an outbound FTP request is made (port 21), the router may also open up port 20 for data if the FTP module is loaded. It may also be possible to for FTP to open other ports, and a malicious server might be able to do this to access an arbitrary high numbered port. Some common tracking modules which might be leveraged include FTP, SIP, Netbios, PPTP, gre, tftp, h323, irc. There is a bug CVE-2014-8160 which may allow arbitrary bypassing of the firewall when using connection tracking under certain conditions - possibly in the way you contemplate.
It would be pretty difficult for a malicious server to open up other ports, but may not be impossible. Of-course, you would need something vulnerable listening on the other ports - and (under Linux), you could mitigate this risk by ensuring your connection tracking rules come after rules denying general access on those ports.