Great point re: inadvertent blocking & directories Bill, Apache blocking seems to be the more cautious route.
I personally don't have much experience of changing IP tables, but if it's possible to map port->port then I'd map all blocked requests to port 80/443 to a new port, say 1111.
Have a dozen line C program sitting there just dishing out 403 HTTP headers and short response. It'd take 100K of memory and would be very quick. You wouldn't need to read what the clients are asking... just keep serving the same response.