I have a Debian server running at the gateway level on a LAN. This runs squid for creating block lists of websites - for eg. blocking social networking on the LAN. Also uses iptables.
I am able to do a lot of things with squid & iptables, but a few things seem difficult to achieve.
1) If I block facebook through their http url, people can still access https://www.facebook.com because squid doesn't go through https traffic by default. However, if the users set the gateway IP address as proxy on their web browser, then https is also blocked. So I can do one thing - using iptables drop all outgoing 443 traffic, so that people are forced to set proxy on their browser in order to browse any HTTPS traffic. However, is there a better solution for this.
2) As the number of blocked urls increase in squid, I am planning to integrate squidguard. However, the good squidguard lists are not free for commercial use. Anyone knows of a good squidguard list which is free.
3) Block yahoo messenger, gtalk etc. There are so many ports on which these Instant Messenger softwares work. You need to drop lots of outgoing ports in iptables. However, new ports get added, so you have to keep adding them. And even if your list of ports is current, people can still use the web version of gtalk etc.
4) Blocking P2P. Haven't been able to figure out how to do this till now.
For 1) and 2) I think you should look into OpenDNS.
For 3) and 4) look into snort's inline mode or you can try PacketFence which I recommend if you have network and linux experience (it does way more than only block p2p).
As far as blocking P2P traffic is concerned, have a look at Packetfence. There are two articles at linux.com. The one article (http://www.linux.com/learn/tutorials/386610-install-packetfence-for-powerful-network-access-control) deals with setting up Packetfence and the other (http://www.linux.com/learn/tutorials/391433-block-unwanted-traffic-with-packetfence) deals with blocking unwanted traffic.