IPtables isn't just a stateful firewall - it's a firewall with userland-accessible state tables. Using multiple tables, it is possible to add and remove policies for individual IP addresses programmatically. Don't just think IP Masquerading - think Masquerading to different addresses based on web app auth, or redirecting through different proxy servers based on username. Don't just think stateful packet filtering, think building finite state machines to allow or block traffic based on specific connections (port knocking, reverse port knocking, and ghetto IDS). Even if iptables isn't new, some of its capabilities may be new to some of you.
Jim MacLeod (@shewfig) retrofits security onto NMS appliances for a large networking vendor. His personal goal is to keep 80% of you from cracking his department's product within the first week of its release, and to convince his team to make his job unnecessary by writing code that's secure.