When I first installed my 10000+ lines of iptables rules, I was afraid that it would really bog things down. I was worried that incoming connections would be real slow. After all, before the kernel can allow a legitimate connection to be made, it must search through the whole list of rules to see if the incoming IP address should be accepted. I figured I'd probably have to just undo it all and put up with the constant hacking attempts. Was I relieved when I discovered no real difference in performance. Even the 486 is handling 10000+ rules without any noticeable lag. It's a Linux text only machine with 36MB of memory and it doesn't even touch the swap partition.
It's obvious that the iptables functionality in the Linux kernel is very efficient. If it wasn't, my 486 powered DNS server wouldn't be running right now. The only holdup with that machine is the initial installation of the code into the kernel. From that point on, it's as smooth as can be. My firewall machine is more powerful and has more memory. It does the initial loading very quickly and handles the incoming connections very efficiently. It appears that only the very first packet coming in is slowed down by about 8-10 milleseconds. That's absolutely nothing to worry about. Any user accessing my web site can't possibly notice that initial delay.
The best part is the whole setup runs smoother because a lot of bandwidth isn't getting unnecessarily used up by unwanted bad guys. If someone is trying to access my website from a country that is being blocked, their first packet arrives and is completely ignored by the kernel. No response is returned at all. To the person at the other end, it looks as if my IP address either isn't in use or the power is off causing no response. That one packet arriving adds very little to the bandwidth usage. It's much better having several thousand bad guys sending in one useless packet than those several thousand bad guys scouring my website for email addresses and making hacking attempts.
For the countries I don't block, everything appears normal to these people.