Commands look like
--- create the IPSET
/usr/sbin/ipset -N WEBAUTHIP macipmap --network 128.223.0.0/16
--- delete/ADD to add an IP+MAC to the IPSET allow list
/usr/sbin/ipset -q -D WEBAUTHIP $ip
/usr/sbin/ipset -A WEBAUTHIP "$ip:$mac"
--- the matching *IPTABLES* rule that uses the IPSET to allow
/usr/sbin/iptables -t mangle -A PREROUTING -m set --set WEBAUTHIP src -j
ACCEPT
/usr/sbin/iptables -t raw -A PREROUTING -m set --set WEBAUTHIP src -j ACCEPT
--- fall-through redirect unallow users to a wepage
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination $AUTHHOST:80
Notes
We use both the "raw" and the "mangle" sets in order to process packets on the chains as early as possible. This makes it go faster. (Note: nat chain is only used at SYN and after a connection track has appeared. So that's why you need mangle, and actually want mangle. But you require nat to get the redirect, so there is probably no way to avoid using both. Total rule count is about 12-rules, and those rules are almost identicaly on each of the nat and mangle chains. All this happens before routing.