What are my choices for centrally managing iptabels?

Thanks in advance and sorry if it has been posted before.

You give rather little information about what you EXACTLY plan to do. how many servers / computers do you need to centralize in the iptables ? LAN / or www ?
here you see a rather comprehensive online tutorial that might help you

http://www.linux.org/lessons/advanced/x313.html

Thanks for the reply. I need to be able to manage IPTABLES running on over 1000 hosts from a central server. I have heard this can be done with tools like puppet. I would like to know what others use when they have to manage 1000s of hosts running IPTABLES on web, app and db tiers.

I understand
that's a little beyond7above my knowledge
I have only 3 servers

there always are multiple approaches to each problem
one I use would be:

I personally care/manage ONE iptables set
use
iptables-save >iptables.conf
then rsync to my other servers and
iptables-restore <iptables.conf

however
on my newest server-config I am going to use in a short while ( servers waiting ) I do most/all automatically

1.
a basic set of rules for all - for example similar as the one from
http://www.linux.org/lessons/advance...IPTABLES-INTRO
further down the page the sample script.

2.
then each server has a number of different security related tools installed
such as:
snort
mod_security
fail2ban
and if needed a cron updated black list for iptables from
rsync-mirrors.uceprotect.net

and thus several of a.m. security tools update new rules / auto-creates NEW rules as needed - example:

if you have for fail2ban installed with an individualized/adapted jail.conf
then fail2ban will append new rules on the fly as needed and also auto-delete them after a predefined time/days.

however this method is based on individual and optimized security tool-configuration to autocreate new rules as needed and auto-delete them if wished so to free IP-blocks.

this may be one of the many solutions.
one single complete security installation of all a.m. tools can easily be transferred / rsync-ed to all servers once it's tested and working.

other experts here may have better ideas for iptables admin tools for your situation.

personally I love the auto-creation of iptables on-the-fly to prevent too many IP-blocks being entirely blocked for all traffic. currently I have most of China blocked due to the abundance of hacker and fake traffic from there. however such solutions also block all generic traffic.

the ONE server manually cared - solution
of course works with any number of servers - IF - you install on each server a small cron-job to rsync newest iptables.conf from mother-server and then flush local iptables

iptables -F
and restore the newest imported iptables as mentioned above.

this is no tool - but an automated mechanism to synchronize all iptables with the one you personally care/maintain.

of course above solutions would require that you want all servers with same iptables set ...

one suggestion would be to get a sound set of iptables rules working on a 'core' server, then hourly/nightly rsync them to the others, followed by a reload of the rules.

personally, I use apf to manage iptables.

YMMV.

HTH,
-Ray