I'm looking to allow access to an internal web server via port forwarding, but I would like the port on the firewall to first authenticate the user.
i.e. The client connects to port 8080 on the firewall with a web browser. On connection to the port he is served with a html login page - preferable via SSL. If the username and password is correct the port-forwarding is enabled for the clients IP Address and maybe MAC Address via IPCHAINS or IPTABLES. Once the client is finished it either logs out (i.e. the firewall rule closes the port after the client logs out or expires once the client disconnects). So, you want to use http to check if somebody is allowed to use http. Sounds like a chicken and egg problem. He already IS using http when you are asking him who he is in the first place.
So you would just use the web-server security features (not an issue for this list and it's in BOLD print in the documentation). If that is not enough and you want top-notch security you would place a proxyserver the authenticates in a DMZ and have that access the internal web-server. The variations, options and gory details are plentyfull and will provide for many hay hacking.