I have a 40 node network with a t1 coming in. I currently use iptables for internet connection sharing. And Filtering. It also has given me the ability to limit who is allowed to go to what web sites. Either way I am abut to rebuild the firewall and was wondering is I should just go back with what I have or go ahead and find out if there is a better solution.
my Goal:
1 Firewall - 2 nics - 40 users on the lanside - 20 can surf / do whatever they want - 10 can go to the sites on list A, 10 can only go to the sites in list B.
Thats kinda what I have now.
But maybe you guys have a better way - right now its kinda sloppy :)

Your setup sounds pretty slick to me! :)
There are peoples asking about how to set that up all the time.
And I don't think you will find any better solution than IPtables.

Thats true.
Im going to have to post my solution up here - cleaner / better than before :)
I want to make it more modular - my scripts that is.

I guess that depends on what has to happen on your LAN between your users.

Have you considered splitting the network into two or more segments? Once could be unrestricted oubound thru the firewall, the other(s) would have rules applied. Would make for less load on the rules checking part, but I doubt that would be a problem anyway.

Might be easier to segrgate users though, you just move their cable and change their LAN IP rather than editing the rules.

You'd need separate switches and another NIC or two.

thats true. and a thought. But I get called from the ppl upstairs to allow this person this / or deny this person that. So its ever changing. I have to go in / edit the script then restart iptables every time. Kind of a pain, but they love that they can have so much power - freaks....
:)