Você pode usar o módulo iptables owner para corresponder ao UID ou GID do soquete de origem, mas isso só funciona para pacotes originados localmente (ou seja, a partir da máquina remota).
% ssh -fNR 20022:localhost:22 localhost
% sudo iptables --append OUTPUT --destination 127.0.0.1 --protocol tcp --dport 20022 --match owner \! --uid-owner mgorven --jump REJECT
% sudo iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 40 packets, 6349 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:20022 ! owner UID match 1000 reject-with icmp-port-unreachable
% telnet 127.0.0.1 20022
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
^]
telnet> Connection closed.
% sudo telnet 127.0.0.1 20022
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused