Sure, if you want to serve TCP reset / ICMP port-unreachable to blocked users, then yes - iptables or external firewall is a more natural way to do it.
But what if you want to serve different content to "blocked" users? i.e. login page, "we're sorry" page, redirect to read-only version of the site, reminder to connect to office VPN, anything like that...
Another example - more than one site on the same (server) IP, and only part of them are (client) IP-restricted.
Considering that firewalls are the best tools to "filter" by IP ranges, I'd suggest this "hack": Reroute the "blocked" packets (my favourite method is DNAT with iptables) to a different webserver which only serves the special pages.
