I would imagine it's better to have the ACL referenced from the ports you want to control,
using port re-direction to move outgoing request to the proxy, ie transparent,
rather than closing the ports and forcing auth only on 80
There is a
patch-o-matic patch for netfilter & iptables called
condition
I use it to check a dynamically stored variable, eg after a successful pam auth, an OK value (1) is written to /proc/net/ipt_condition/web_ok/192.168.1.21/ to signify that ip is allowed to pass web traffic