Hello,

Yang Zhang wrote:
> Hi, is it possible to filter (local origin/destination) packets on
> process or application? My understanding is that iptables doesn't do
> this, but are there any other system facilities in Linux that make
> this possible? Thanks in advance.

The owner module (xt_owner) matches the owner of the socket

# iptables -m owner --help
iptables v1.4.4
[...]
owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists


man iptables for more details ;)