In terms of iptables structure itself, you'd presumably want to have a separate table for each zone. this way, your main iptables script would identify traffic relevant to a zone, presumably on source IP and then jump to that zone's table with the -j option. This then gives you a degree of isolation and abstraction from the base level iptables main tables.
as for actually implementing them, iptables is managed in different ways by different systems. if you wish to step outside of CentOS's own /etc/sysconfig/iptables script, then that's fine, and probably sounds advisable to scrap it altogether if you want a seriously fine detail of management. In which case, you can just write your own script whoever you see fit.
first define a new table:
iptables -N BLAH
then identify traffic to send to it
iptables -A INPUT -s 123.0.0.0/8 -j BLAH
then filter in that new table
iptables -A BLAH -d 192.168.1.2 -j REJECT
etc...
the first two parts I would probably have in the "main" script, the third in separate one. (or maybe the -N would be in the separate one too... and the 2nd and 3rd parts can be done either way round) but either way, define the table, then send stuff too it. how you really achieve that is up to you, and as long as you're comfortable with the quality of your rulebase, you don't need to stick to any distro specific framework in the slightest.
as for what a main script would look like then, i'd just set up variables, like the iptables path and the likes, then source all the files to execute in line:
Code:
IPTABLES=/sbin/iptables
. /etc/myfwscripts/this_zone
. /etc/myfwscripts/that_zone
$IPTABLES -A FORWARD -s 123.0.0.0/8 -j THIS_ZONE
etc...
