Hi, here's a wild one i'm hoping someone will advise me on.
Small company here.
The IT guy had installed Linux for our webproxy and firewall. Also put up an antenna on the roof of the building and has another Linux computer connected to it, handling the routing for the WAN.
Now this is just a small time operation here, basically he was directing (via the WAN) the web to his own home and to the owners home (local isp's are unreliable old school dialup) so they could VPN from home.

Sounds good except rumors circulate that that isn't all he's done. In fact there are rumors that half his friends are leeching web from this company via his WAN links which he has setup here and there around the county.

So i wonder is there a way to discover what is really going on here. Providing i have the root login for the proxy/firewall, where do i start?

When you say leeching web, do you mean they have their own servers running over your line or that they are using your line to surf the web?
Anyway you can use iptables to log the traffic that's going over the wan-link, don't know the interface, but something like

iptables -I FORWARD -i eth1 -j LOG

would log all traffic coming in on the eth1 interface for forwarding and all those links (with ip's) would show up in /var/log/messages (on debian at least)....
If there are more ip-addresses showing up than there are legal connections to the line that would be a clue.
You could then try blocking them off (by mac-address) one by one and see who complained about loosing access.

Good luck