IPTABLES allow connection to a list of IPs to a specific user (ip) - block all the rest from this user only

Probably this is not a clean solution, but it will work

All users will have access to the internet except restricted user

# Define variables
USER_IP=172.16.0.101
ALLOW_IPS="1.2.3.4 2.3.4.5 3.4.5.6"
IF_EXTERNAL=vmbr0

# Clearing iptables from previous allow ip rules by comment and masquerade
iptables-save | grep -v "userrestricted\|MASQUERADE" | iptables-restore

# Generate rules for masquerading from restricred user(ip)
for ALLOW_IP in $ALLOW_IPS
do
iptables -t nat -A POSTROUTING -s ${USER_IP} -d ${ALLOW_IP} -o ${IF_EXTERNAL} -j MASQUERADE -m comment --comment userrestricted
done

# Trick with SNAT will invalidating target packets
iptables -t nat -A POSTROUTING -s ${USER_IP} -o ${IF_EXTERNAL} -j SNAT --to 127.0.0.1 -m comment --comment userrestricted

# Get common masquerade rule back
iptables -t nat -A POSTROUTING -o ${IF_EXTERNAL} -j MASQUERADE

It works for me, make sure you have common masquerade rule after restricted user rules

Please check it, if it's not what you want i can correct answer