care must be taken to have the expiry times reasonable or the iptables rule lists becomes much too large and eventually chews up all available CPU.
Have you seen the "ipset" stuff on the netfilter-devel list? This is a new set of modules that works with sets of addresses. It should allow you to have a much larger rejection list.
