is there a software firewall that can protect outbound connections, for instance spyware or cheeky marketing plugins ?
Use iptables, you already got it.
AFAIK spyware, BHO's and invisibly installed apps are Wintendo-only, apart from ppl using an email reader that supports reading HTML mail (the horror) and so are subject to "webbugs" or the occasional ad when using a browser like Opera (easily disabled if you really want to), I haven't seen any of those in Linux.
If you want to pursue this, you could add a simple "pass" rule that only logs traffic and add blocking rules for domains you want to be blocked using the
Yoyo or
Adshield blocklists, or deny outgoing traffic to dst port 80, 443, 8000, 8080, and only allow that traffic to travel through a proxy (for those familiar with Junkbuster, Webwasher or Proxomitron: try
Privoxy), then load the blocklists there.
I think logging outgoing traffic ain't bad, it provides you with an general idea what traffic you generate, but as spyware isn't a Linux thing I don't think you need blocking those domains.