I am trying to disable access to IP 1.2.3.4 for all users except for members of group "neta". This is a new group which I created only for this matter.

iptables -I OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m owner ! --gid-owner neta -j REJECT

This disables access to 1.2.3.4 for all users, even if they are member of group "neta".

I have an user xx and he is a member of groups xx (main group) and neta. If I change the rule to:

iptables -I OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m owner \! --gid-owner xx -j REJECT

everyone except user xx is not able to access 1.2.3.4.

I added root to this group xx:

usermod -a -G xx root

but root was still not able to access this IP.If I add main user's group (root, xx) to the rule everything works as expected.

I tried spliting it in two rules just to be sure (and log rejected):

iptables -A OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m owner --gid-owner neta -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m limit --limit 2/s --limit-burst 10 -j LOG
iptables -A OUTPUT -o eth0 -p tcp -d 1.2.3.4 -j REJECT

but there is no difference. Everything is being rejected.

There are no other iptables rules.

root@vm1:~# iptables -nvL
Chain INPUT (policy ACCEPT 19 packets, 1420 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 10 packets, 1720 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            1.2.3.4     owner GID match 1001 
    0     0 LOG        tcp  --  *      eth0    0.0.0.0/0            1.2.3.4     limit: avg 2/sec burst 10 LOG flags 0 level 4 
    0     0 REJECT     tcp  --  *      eth0    0.0.0.0/0            1.2.3.4     reject-with icmp-port-unreachable 

I want to be able to (dis)allow access to this IP by adding/removing users from this "neta" group instead of adding iptables rules for every user.

Ok, to be honest I know to little about linux and iptables to be sure about my theory, but since I wanted to do the same for a VPN here we go.

I assume that the match is done using the process from which the packets originate from and that a linux process doesn't get all groups of a user assigned but instead a process runs with one uid and one gid.

That means that you have to execute the command explicitly using this specific group, or else the command/process is executed using the default group of the user.

Writing this I had an idea to see whether there is such possibility. I restricted access to a certain IP range using the group VPN. This never worked. Now I tested with the following command and it works:

sg vpn -c "ssh [email protected]"

So I hope my theory was correct.

Old post, but chiming in since I have run into this exact problem in Ubuntu 16.04.3 LTS server.

Ubuntu's implementation of iptables extensions through netfilter examines the owner of the current network packet, and queries only the primary group id of that user. It doesn't dig deeper and get all the group memberships. Only the primary group is compared to the --gid-owner value. It doesn't look any further.

What the OP was trying to accomplish would work if he/she changed the primary/default user group of all relevant usernames to "neta". Those users would then be captured by the rule.

To use a supplementary group you need to add the --suppl-groups flag to your iptables command

From man page:

--suppl-groups

Causes group(s) specified with --gid-owner to be also checked in the supplementary groups of a process.