Have you seen the "ipset" stuff on the netfilter-devel list? This is a new set of modules that works with sets of addresses. It should allow you to have a much larger rejection list.
Just checked, this project has a web page:
<http://people.netfilter.org/kadlec/ipset/>
