ipset lets us define netfilter rules against named, dynamic sets of ips, like:
ipset -N bofhirc iphashadds a rule giving only ips added to the bofhirc set access to bofhirc.example.org port 22. How ips are added to that set is up to you (Port knocking, messenger pigeon, ocr on a piece of paper held up in front of a webcam...) but involves ipset -A bofhirc <ip> at some point. And hopefully ipset -D bofhirc <ip> at some other point to revoke that access again. All without disturbing your carefully-tuned iptables config on every login.
iptables -m set --set bofhirc src -d bofhirc.example.org -p tcp \
-m tcp --dport 22 -j ACCEPT
A touch of the swiss army chainsaw with Net::LDAP to OpenVPN --client-connect (accesses-from-ldap-open.pl) and --client-disconnect (accesses-from-ldap-close.pl). Et voila. Adding accesses is now as easy as adding a named set of firewall rules, and adding:
objectClass: vpnAccessPersonto the relevant user in ldap. The ips involved are private and assigned by OpenVPN, so there's no risk of aliasing for multiple users behind a NAT.