I'll guess from your question that you're not too familiar with iptables at the moment...
MAC address is a standard match...
So I'll take a bold step and suggest you don't try using RH9 for this NAT/firewall box.
The product has been retired and there aren't any security patches from "up2date" any longer..
So you'll end up with exploitable holes in your setup in the near future..
If you want to try your hand at making one from scratch, I would recommend one of the other distributions.
To stop chatting through port 80 and 443 (http & https) I would recommend installing
dansguardian which requires a proxy, eg squid
A lot of distributions have squid and dansguardian packages available..
Also, not many services exist above port 1024 that regular staff need access to, so a general block from ports 1024:65535 will keep them quiet, udp & tcp.
To allow specific people by MAC address, you can add a rule set such as
iptables -N MAC_allow
iptables -A MAC_allow -m mac --mac-source 00:99:88:77:66:55 -j RETURN (to permit..)
iptables -A MAC_allow -m mac --mac-source 00:99:88:77:66:55 -j RETURN (to permit..)
iptables -A MAC_allow ..... etc
iptables -A MAC_allow -j REJECT --reject-with icmp-net-prohibited (to reject)
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 1024:65535 -j MAC_allow (to select who gets checked..)
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 1024:65535 -j MAC_allow ( everybody in this case.)
(eth0 is local LAN, eth1 is Internet)
Once you have a working dansguardian filter, I would recommend leaving it in "logging only" or stealth mode for a week to test the transparency and to get a history of browsing before applying the block. This way you have some better information on who is doing what and where. You can make a smarter block with this.
To log higher ports, add
iptables -t nat -I POSTROUTING -o eth1 -p tcp --dport 1024:65535 -j LOG --log-level 6 --log=prefix "outgoing "
(to make this the first postrouting rule)
I also recommend installing
webmin to give it all a nice secure GUI interface..
If you want to get something up and running fast, there are several products built to do all of these things.
Have a look at
www.distrowatch.com for a bootable/live-cd that you can add dansguardian to.
(Dansguardian isn't supposed to be used in a commercial environment without a license, and they recommend Smoothwall as a commercial bells and whistles product anyway..Links are on their site.)