facebook uses https connection so if user will type
https://facebook.com or
https://fb.com can bypass your server anytime because in general squid does not understand https. like when user will google something restricted, squid does not understand it until will not open link and if the link is not https than squid is making action. If you only use iptables as your firewall you can make a cron job with script to add list of facebook servers and block any type of connection with tcp or udp ports. list is not small but I think this is best solution because just anytime type
https://facebook.com you can bypass server. with this script you can obtain ip addresses of facebook servers.
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /fb_ip_list
this method is working. If anyone has idea better i will shear it with great pleasure
good luck