I understand
that's a little beyond7above my knowledge
I have only 3 servers
there always are multiple approaches to each problem
one I use would be:
I personally care/manage ONE iptables set
use
iptables-save >iptables.conf
then rsync to my other servers and
iptables-restore <iptables.conf
however
on my newest server-config I am going to use in a short while ( servers waiting ) I do most/all automatically
1.
a basic set of rules for all - for example similar as the one from
http://www.linux.org/lessons/advance...IPTABLES-INTRO
further down the page the sample script.
2.
then each server has a number of different security related tools installed
such as:
snort
mod_security
fail2ban
and if needed a cron updated black list for iptables from
rsync-mirrors.uceprotect.net
and thus several of a.m. security tools update new rules / auto-creates NEW rules as needed - example:
if you have for fail2ban installed with an individualized/adapted jail.conf
then fail2ban will append new rules on the fly as needed and also auto-delete them after a predefined time/days.
however this method is based on individual and optimized security tool-configuration to autocreate new rules as needed and auto-delete them if wished so to free IP-blocks.
this may be one of the many solutions.
one single complete security installation of all a.m. tools can easily be transferred / rsync-ed to all servers once it's tested and working.
other experts here may have better ideas for iptables admin tools for your situation.
personally I love the auto-creation of iptables on-the-fly to prevent too many IP-blocks being entirely blocked for all traffic. currently I have most of China blocked due to the abundance of hacker and fake traffic from there. however such solutions also block all generic traffic.
the ONE server manually cared - solution
of course works with any number of servers - IF - you install on each server a small cron-job to rsync newest iptables.conf from mother-server and then flush local iptables
iptables -F
and restore the newest imported iptables as mentioned above.
this is no tool - but an automated mechanism to synchronize all iptables with the one you personally care/maintain.
of course above solutions would require that you want all servers with same iptables set ...