On Debian-based systems it is possible to call external program from /etc/hosts.allow to allow/deny a client. I implemented a country filter based on GeoIP for SSH protection.
Firstly, we need to regularly update GeoIP database. Free database seems to be updated every month. I run this script by cron.daily to check if it is updated and download it if it is. (Database is saved to the directory where the script is.)
/etc/hosts.allow is something like this:
then in /etc/hosts.deny:
sshd: ALL: aclexec /usr/local/geoip/check %a
so that connections not explicitly allowed are denied.sshd: ALL
Finally this is the script I call from aclexec. Filtering rules are written in function "rule". In this case clients from Japan and unknown are allowed to connect.
Both scripts use syslog for diagnostic output.
This setup can be used for other services such as FTP.