I block spam at the mail server itself rather than with iptables. I do have some scripts that scan logs to see which IP addresses are sending lots of spam and then adds iptables rules to block those specific addresses. I use sendmail rather than postfix, so I cannot tell you how to configure it to block Chinese senders. In sendmail you can add rules to /etc/mail/access that block SMTP senders by domain. "Wrapping" the SMTP server in xinetd and using /etc/hosts.[allow|deny] rules is another option.
You can also establish access rules in Apache. You can block all hosts in the .cn domain like this:
Most server applications give you control over access. If you have an especially balky one, there is always xinetd.
deny from .cn