The modularity of iptables - or "ipt_SYSRQ"
One of the best early design choices of iptables was its support for plugin matches and plugin targets. Over the last five years, we have seen some 100 of such user-developed special-purpose plugins.
One that I find particularly funny is ipt_SYSRQ, a target module that allows you to issue the "magic sysreq" command via a network packet. This way you can sync, unmount and reboot a otherwise stuck machine that still responds to interrupts.
Obviously quite dangerous, but the author includes a time stamp and a cryptographic signature, so replay attacks can only occur in a very small time frame.
It's definitely a cool hack, although I'm not sure whether I'd want to put this on a production system or not.