Managing iptables rules in Linux
Try iptables' ipsets. ipsets are configured separately, and these are also faster if you have enough ip addresses to manage.
iptables rule can refer to ipset like this:
iptables -A FORWARD -m set --set blocklist src,dst -j DROP
One simple solution is to use multiple bash scripts for each section something like:
iptables-routing.sh
iptables-ssh-bans.sh
iptables-blacklist.sh
And run this files from a master script.
iptables does not read the file directly, that is done by a program called iptables-restore. This is usually called from one of your init scripts.
You could add extra input files to your iptables-restore line. You'll have to find where this line is on your system but on my Debain box, it is in /etc/init.d/nat
The line currently reads like this:
/sbin/iptables-restore < /etc/network/iptables
Perhaps it could be changed to something like this:
cat /etc/network/iptables \
/etc/network/pre_routing_tables \
/etc/network/ssh_bans | /sbin/iptables-restore
I tend to use one of the many on-top-of-iptables firewalling scripts/tools, like Firestarter or Shorewall, they come with many files, separated by purpose, add interesting rules to protect against certain types of bogus packets and they usually work well.