I thought this would be easy with netfilter:
# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP
iptables: Invalid argument
So, I find Debian stable's is old (1.2.6a). I build the latest version and get:
iptables v1.2.8: Unknown arg `--dport'
(but --dport should be loaded implicitly by -p tcp)
So I look at the relevant code and find:
/* If you listen carefully, you can actually hear this code suck. */ /* some explanations (after four different bugs * in 3 different releases): If we encounter a * parameter, that has not been parsed yet, ... [snipped] ....
Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP
Update #2: But it can't reload this config later. Filed a bug.