This is what I do and it works great...even across net.:
I just do a dstnat rule with the src address of the Non paying client...protocol TCP, Src port 1-60000
The action is dst-nat of the IP and PORT of the web server you are running..locally or across the net.
let me know if you have probs..ive been using this for a while to block access to non paying users...
edit: oh the key is setting ALL the Apache error pages (404 mainly) to your index.html
if you dont do this then if someone types in http://www.google.com/whatever.html
they will get a page not found since yourWEBserver.com/whatever.html is not found...