Here are some examples. These directives can go in either the top-level Apache config files or individual .htaccess files.
# Restrict to OSU networks
<RequireAny>
Require ip 128.146.0.0/16 164.107.0.0/16 140.254.0.0/16
Require ip 172.16.0.0/12 10.0.0.0/8
Require ip 2620:0:1a10::/48
Require ip 3.16.225.230 3.14.116.154 3.12.52.221
</RequireAny>
# Block only bad IP ranges and let everyone else through
Require not ip 1.2.3.4
Require not ip 5.6.7.0/24
# Allow from OSU networks only _except_ for a few specific IPs
<RequireAll>
<RequireAny>
Require ip 128.146.0.0/16 164.107.0.0/16 140.254.0.0/16
Require ip 172.16.0.0/12 10.0.0.0/8
Require ip 2620:0:1a10::/48
Require ip 3.16.225.230 3.14.116.154 3.12.52.221
</RequireAny>
Require not ip 128.146.1.2
Require not ip 164.107.3.4
</RequireAll>
# Example using mod_rewrite to block bad IPs instead
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^1\.2\.3\.4$ [OR]
RewriteCond %{REMOTE_ADDR} ^5\.6\.7\.
RewriteRule .* - [F]
# Or if you'd prefer an error page to a 'forbidden' code then replace last line with
RewriteRule .* http://www.osu.edu/err/404.php [L,NE,R=301]
Notice that for mod_rewrite you’ll need the IPs in regular expression form rather than CIDR, IP/netmask, or other standard ways of denoting IPs. This is because it can only do a string comparison instead of a more intelligent range match.