I see. Running an iptables -L in the console, I can see the rules in the CapPortFS chain. I was seeing a lot of dns lookups over port 53 in the connection tracker and there is a rule here that lets them through. This is where the free authorized services on the captive portal page come into play.
Couldn’t I require that udp/53 traffic to also authenticate through the captive portal? I am not particularly worried about people setting up a udp tunnel to get around the captive portal, but I would like to account for every packet that goes out over satellite. Satellite data costs about $1/MB for us, and with udp packets streaming out, it quickly adds up.
Another question. By putting a couple rules in the fwd chain to allow traffic out over a particular interface (and in) before it hits the CapPort chain, could I bypass the captive portal (not have to manually turn it off) when the ship connects to shore via a cable connected to eth0?