Block IRC for some but not all of my users


I want to prohibit some of my users to connect to IRC, however there are also users that I want to allow to connect to IRC, so just blocking 6667(irc) in iptables won't do what I want.

Anyone can help me or give me a direction how to do this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

local users ? (ie shell users ?)
change permissions for /usr/bin/irc

Remote users?
Do they have a static IP ? WHat is your network ?
Try giving selective access using IPtables
I.e. default drop, and allow to selective ip addresses.

Or a different solutions would be to setup a vpn server
(PoPToP would be a good choice) and make your users connect to the vpn to access irc server via a private network. Thus you can allow access to IRC using iptables for vpn private network only. Add masquerading for the new vpn net also.

What you can do if you have the ips of the people you want to have access is to create rules just for them and then after them deny all others. It is not pretty and if your IP are static it will work ok.

For example

iptables -A OUTPUT -j ACCEPT -p tcp -s $ip --dport 6667
iptables -A OUTPUT -j ACCEPT -p tcp -s $ip --dport 6667
iptables -A OUTPUT -j ACCEPT -p tcp -s $ip --dport 6667
iptables -A OUTPUT -j DROP -p tcp --dport 6667

if your box is the firewall/proxy then OUTPUT is the proper location, if you box is the irc server then put the rules in the INPUT

if they are local users i know theres an option to filter certain ports to different computers, maybe get a router that does that?
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

SocAuthor Commented:
With users I mean users logging in to my machine through SSH, so not just network users.

My users come from varying IP addresses (dynamic, work, etc.), so blocking on IP basis won't be possible.

I also don't want to block access to the IRC servers since there are also clients I want to allow to connect to IRC.

When I block access to the program 'irc', users just download a new client, or even worse some IRC bot. I could 'threath' them with policies and rules, but don't want to do that, since it won't help.
I think you should use iptables to tune your local IRC access rights according to your policy.

[man iptables]

       This module attempts to match various characteristics of the  packet  creator,  for locally-generated  packets.   It  is  only valid in the OUTPUT chain, and even this       some packets (such as ICMP ping responses) may  have  no  owner,  and  hence  never match.

       --uid-owner userid
              Matches if the packet was created by a process with the given effective user id.

       --gid-owner groupid
              Matches if the packet was created by a  process  with  the  given  effective group id.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SocAuthor Commented:
Thanks mate, should have looked in the man before I posted, but thanks a lot :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.