i just figured that iptables pulls kernel sources (not headers). though i'm sure that iptables modules (like those for layer7 or other extensions) need the sources i don't know if they're needed if you want a plain iptables installation.
it seems like inheriting linux-info pulls the sources... though i'm not sure which functions are used it seems to me that one function is placed wrong.

lines 42-50 (here the kernel version is checked before checking if we need l7filter)
    if kernel_is ge 2 6 20
    then
        L7FILE=${KERNEL_DIR}/net/netfilter/xt_layer7.c
    else
        L7FILE=${KERNEL_DIR}/net/ipv4/netfilter/ipt_layer7.c
    fi
    if use l7filter && \
        [ ! -f "${L7FILE}" ]; then
        die "For layer 7 support emerge net-misc/l7-filter-${L7_PV} before this"

lines 104-106 (here the kernel version is checked AFTER the use flag l7filter is checked)
    if use l7filter ; then
        #yes choosing 2.6.20 was deliberate - upstream mistake possibly
        if kernel_is ge 2 6 20

so is it possible to probably switch the order of the former mentioned function calling and prevent pulling the kernel sources for a plain iptables installation?