wilderness - 8:02 pm on Oct 2, 2011 (gmt 0)
First, what your attempting is no simple matter.
1) deny all
2) allow UK IP ranges (there are some sites that will provide you with all the UK ranges (at least with some degree of accuracy), however these ranges will NOT be a copy and paste solution. You'll still need to combine and condense IP's.
3) then go back allow non-UK ranges based upon raw log activity. (Be very carful when allowing these IP's (NOT primarily on /8-A's, rather restricting access to a Class D range.
allows the 0-32 Class D Range.
In some instance you may wish to focus upon a Class C range, however and if your wish is to restrict access from the masses, you should be very careful in these ranges.
Each instance of an exception for you to allow an IP range would require an analysis and a decision (based upon raw log activity and research of the IP range), not something you may trust to a software or a processor.
Do you mean opening up single IPs?
Also, do you find that people change IP often in the States?
"Often", and generally speaking,no.
The North American (at least within the US and CAN) IP ranges even though dynamic are fairy consistent (unless the user resets their modem daily). With the majority using broad band connections these days their routers are left on 24/7 maintaining the same dynamic IP for months at a time.
In Europe the provide dynamic ranges are far more broad in comparison and may vary by both Class A's and B's.
In addition, malicious visitors will come from a variety of IP's based upon proxies, server farms, and even more.