NetBilling internet access control subsystem is a flexible machanism of network traffic filtering based on client's IP and MAC. Internet access can be switched on and off by the client himself for times he really needs it reducing IP substitution traffic stealing possibility. When the client does not need Internet acces any more, it simple swithes it off and from this moment his password is required to turn it back on.

User acces control could be provided with firewall configuration of PC-based router running NetBilling (by default) or with any kind of software or hardware you can imagine (it will require some scripting from you) - you can use your own tools with NetBilling.

This is how it works. Every time NetBilling decides to grant or revoke access to/from client, it executes predefined (see netbill.conf) program (binary of script). By default, it is act.sh and deact.sh shell scripts. When running external program, NetBilling gives it two command-line arguments: client's IP and MAC.

Supplied act.sh and deact.sh do some iptables FILTER-chain manipulation to manage access of clients into external network. They also require SUID-root'ed binary ipta program for running iptables from unpriveleged user.

You can rewrite these shell scripts to conform your users access policy. You even can use them for remote control of hardware routers, like Cisco or others in any way you want.