IPtables isn't just a stateful firewall - it's a firewall with userland-accessible state tables. Using multiple tables, it is possible to add and remove policies for individual IP addresses programmatically. Don't just think IP Masquerading - think Masquerading to different addresses based on web app auth, or redirecting through different proxy servers based on username. Don't just think stateful packet filtering, think building finite state machines to allow or block traffic based on specific connections (port knocking, reverse port knocking, and ghetto IDS). Even if iptables isn't new, some of its capabilities may be new to some of you.