Simplest method is to block all outgoing requests, except those from your proxy server. If they don't use the proxy, they don't get Internet access. Start with a "deny all" policy.
Then, add rules to allow specific protocols to/from specific IPs on specific ports, as needed, for access to other services. Don't use any rules like "allow ip from localnet to any 25". Always specify an IP (don't use "any").
|