incrediBILL - 9:30 pm on Sep 1, 2013 (gmt 0)
The iptables option is probably the more instinctive solution because it just drops the packets and doesn't return a 403.
There's a difference between blocking a DDOS, hackers, spammers, bad bots and eliminating all the rest of the noise because some of the stuff being blocked might report on the status of you site as each should be treated appropriately. What might be fine for fighting a DDOS or hackers by using IPtables and not returning any status, or a robots.txt, etc. isn't good for handling the rest of the bots with no feedback whatsoever. The crawlers and sometimes users don't know if your site is down, bad internet connection, etc. and that can lead to sites incorrectly listing you as offline or dropping your site altogether from directories, link lists, etc.
Remember, if you do accidentally block a human the "403 forbidden" page can give them instructions on how to unblock their IP if you offer that option but IPtables can't.
I run a directory and if I can't connect to the site the listing gets dropped automatically which is a shame that someone pays just to get listed but instead gets immediately dumped when there's no response to my link checker.
Usually this is because the host, and there are a couple, now include bot blocking at the firewall level which thwarts link checkers as well obviously. Most are nice enough to give me a 403 forbidden which means it's probably being done at the Apache level.
Don't forget to declare port 80 or 443 on IP tables or you can kiss email g'bye.
I just think it's a risky way to go unless you're doing something like firewalling hackers and spammers from China, Vietnam, Nigeria, Russia, etc. and in those cases blocking all ports in IPtables is exactly what I do.
Out of site, out of mind.
But for content protection only, I stick with blocking in Apache or using a PHP script with a table of IP ranges.
Obviously some of this is just philosophical differences in how to handle the situation but I like to avoid a much collateral damage as possible and doing it at the Apache and script level is the only way to really avoid collateral damage IMO.