Intercept 802.3 packets on egress and redirect until tagged
I've moved into a giant mill building and wish to consider offering free internet to the unwashed masses. Yes, I know this sounds foolish and possibly even legally insane, but I absolve anyone from their advice.
However, the cynic in me knows that people are often bad, and so before allowing the optimist in me to offer forth this splendor of free internet (via 802.11something, of course), I wish to redirect any new MAC address first to a webpage on my linux NAT router, with the usual blurbs, "I promise I will not kill anyone". A checkbox and submit button later, and they're allowed to continue on.
The web part is obviously fairly easy. Assuming I know how to tag a MAC address as "good" or "bad" at the userlevel, how might I do the redirect at layer 2?
So people are going to be coming in through the wifi bridge. They spit out onto my lan with their own MAC (or maybe they aggregate through something before getting to me. Either way, it's granular to the apartment, and apartments have only a person or two, so I don't care). If the MAC address is not in a list, anything on the web needs to go to a local IP. Anything not on the web just doesn't work. Once they view the page and submit, their MAC gets into the system and all of a sudden they can browse the web (for a while). The other things still stay magically unavailable, though. Web only is fair.
A DNS approach won't work, because they could just use their own DNS, even if I assigned them the IP via DHCP (which I'll have to). Which makes it tricky, with the limited scope of how to tackle this I have.
So, the obvious foolishness aside, does anyone have any ideas how I could implement this?