When using DeleGate as a proxy on a multi-homed host, with different network interface for an external (xx.xx.xx.xx) and an internal (ii.ii.ii.ii) network respectively, the simplest configuration to allow access only from the inside is specifying the interface of port to accept clients as this:
By default, DeleGate allows access from a client-host only if the host is on "local network". What the "local network" is is pre-defined as the special host-list named ".localnet". It can be redefined with a HOSTLIST parameter as this for example:
When it is difficult or insufficient to control access based on the IP address or host-name of clients, you can use password based authentications, or certificate based authentication when using SSL. For example, PAM based password authentication can be done as this: