> From my experience with -m owner/group (extremely limited I must admit) > I don't think it's possible. The messages in /var/log/messages don't > seem to have any uid information, and afaik there isn't any sort of > variables that iptables has in to do this sort of thing. Would it be possible to get the LOG target to log the PID of the process that tried to send the traffic out? If this could be done it would be a relatively trivial to write a daemon that would watch the log looking for the LOG liens (presumably with a special pattern in the --log-prefix parameter as a key) and try to identify who ran the process that has the PID in question. The only caveat that comes to mind is that process might spawn and die / close before the daemon could identify who was running it so I would be tempted to send the traffic to user space QUEUE (I think) to something that would ultimately just drop it but that could introduce a pause long enough (or do the searching it's self) for the user identification to take place? I am in no way capable of writing such applications / daemons, but I know there are those who are. This is just my $.02 on it. Grant. . . .
