It can be difficult to determine the source of a request to a server. You can use geolocation to lookup an IP address, one excellent service is IP2Location.
However, if the goal is to deny access to servers from outside the country, language may be an effective identifier.
Whether the language is sent in the headers is an unknown, however, if it is sent, and it isn’t the language of the site, access can be denied with these commands:
In this case, if ‘en’ (English) is not one of the languages the client will accept, the request will be denied.
This should be part of a layered strategy, with other rules ensuring additional protection.
A word of caution. If the Accept-Language header is missing, access will also be denied. Search engine bots often omit the Accept-Language header.