Blocking incoming non-localhost traffic, *except* for certain gid

[pawa@tormail.org]

I'm trying to block all non-localhost IPv4 traffic, outgoing and
incoming, on my computer, except for processes with gid 1111 which
should be able to interact with my LAN (and the Internet through a
gateway in it). Here's what generates my ruleset (iptables-save shows
nothing beyond that):

    FILTER='iptables -A OUTPUT'
       LOG='LOG --log-uid --log-prefix'

    $FILTER -o lo -j $LOG accept_lo:
    $FILTER -o lo -j ACCEPT

    $FILTER -d 127.0.0.1 -j $LOG accept_127.0.0.1:
    $FILTER -d 127.0.0.1 -j ACCEPT

    $FILTER -m owner --gid-owner 1111 -j $LOG accept_gid1111:
    $FILTER -m owner --gid-owner 1111 -j ACCEPT

    $FILTER -j $LOG reject:
    $FILTER -j REJECT --reject-with icmp-net-prohibited

It works for outgoing connections, but incoming connections somehow
get blocked regardless of which group they are in. My PC runs kernel
kernel 3.6.7 + iptables 1.4.16.3. It is at 192.168.1.1, for testing I
let netcat listen:

    nc -v -n -l -p 1234

And connect from another computer (192.168.1.2):

    nc -v -n 192.168.1.1 1234

That gives me these kind of kernel log entries, no matter what gid
the listening process has:

    reject:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.2 LEN=60
    TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1234 DPT=64079
    WINDOW=14480 RES=0x00 ACK SYN URGP=0
    accept_lo:IN= OUT=lo SRC=192.168.1.1 DST=192.168.1.1 LEN=88
    TOS=0x00 PREC=0xC0 TTL=64 ID=20114 PROTO=ICMP TYPE=3 CODE=9
    [SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64
    ID=0 DF PROTO=TCP SPT=1234 DPT=64079 WINDOW=14480 RES=0x00 ACK SYN
    URGP=0 ]
    ... and those two repeated (except for the ICMP packet's ID
    incrementing) as the connecting netcat retries ...

So I suppose the incoming SYN is accepted but not important enough
to be logged? (Any way to get complete logging?)
But why does the SYN-ACK get rejected?
And how can I get it to work?

Cheers