Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Block IRC for some but not all of my users


I want to prohibit some of my users to connect to IRC, however there are also users that I want to allow to connect to IRC, so just blocking 6667(irc) in iptables won't do what I want.

Anyone can help me or give me a direction how to do this?
1 Solution
local users ? (ie shell users ?)
change permissions for /usr/bin/irc

Remote users?
Do they have a static IP ? WHat is your network ?
Try giving selective access using IPtables
I.e. default drop, and allow to selective ip addresses.

Or a different solutions would be to setup a vpn server
(PoPToP would be a good choice) and make your users connect to the vpn to access irc server via a private network. Thus you can allow access to IRC using iptables for vpn private network only. Add masquerading for the new vpn net also.

What you can do if you have the ips of the people you want to have access is to create rules just for them and then after them deny all others. It is not pretty and if your IP are static it will work ok.

For example

iptables -A OUTPUT -j ACCEPT -p tcp -s $ip --dport 6667
iptables -A OUTPUT -j ACCEPT -p tcp -s $ip --dport 6667
iptables -A OUTPUT -j ACCEPT -p tcp -s $ip --dport 6667
iptables -A OUTPUT -j DROP -p tcp --dport 6667

if your box is the firewall/proxy then OUTPUT is the proper location, if you box is the irc server then put the rules in the INPUT

if they are local users i know theres an option to filter certain ports to different computers, maybe get a router that does that?
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

SocAuthor Commented:
With users I mean users logging in to my machine through SSH, so not just network users.

My users come from varying IP addresses (dynamic, work, etc.), so blocking on IP basis won't be possible.

I also don't want to block access to the IRC servers since there are also clients I want to allow to connect to IRC.

When I block access to the program 'irc', users just download a new client, or even worse some IRC bot. I could 'threath' them with policies and rules, but don't want to do that, since it won't help.
I think you should use iptables to tune your local IRC access rights according to your policy.

[man iptables]

       This module attempts to match various characteristics of the  packet  creator,  for locally-generated  packets.   It  is  only valid in the OUTPUT chain, and even this       some packets (such as ICMP ping responses) may  have  no  owner,  and  hence  never match.

       --uid-owner userid
              Matches if the packet was created by a process with the given effective user id.

       --gid-owner groupid
              Matches if the packet was created by a  process  with  the  given  effective group id.
SocAuthor Commented:
Thanks mate, should have looked in the man before I posted, but thanks a lot :)

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now