Only allows requests from a specified set of IPs. Useful when a site is under development or maintenance.

Whitelist IP Addresses

To only allow requests to a list of whitelisted IPs, first add the following rule to web.config’s <rewriteMaps> section (create the rewriteMaps key if it doesn’t exist):

<system.webServer>
	<rewrite>
		<rewriteMaps>
			<rewriteMap name="Whitelist">
				<add key="127.0.0.1" value="1" />
				<add key="192.168.1.15" value="1" />
			</rewriteMap>
		</rewriteMaps>
	</rewrite>
</system.webServer>

Then add the following to your web.config’s <rules> section:

<system.webServer>
	<rewrite>
		<rules>
			<rule name="Only allow whitelisted IPs">
				<match url=".*" />
				<conditions>
					<add input="{Whitelist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" negate="true" />
				</conditions>
				<action type="Redirect" url="https://www.example.com/404.html" appendQueryString="false" />
			</rule>
		</rules>
	</rewrite>
</system.webServer>

For clarity, this is how the web.config would reflect these additions:

<system.webServer>
	<rewrite>
		<rewriteMaps>
			<rewriteMap name="Whitelist">
				<add key="127.0.0.1" value="1" />
				<add key="192.168.1.15" value="1" />
			</rewriteMap>
		</rewriteMaps>
		<rules>
			<rule name="Only allow whitelisted IPs">
				<match url=".*" />
				<conditions>
					<add input="{Whitelist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" negate="true" />
				</conditions>
				<action type="Redirect" url="https://www.example.com/404.html" appendQueryString="false" />
			</rule>
		</rules>
	</rewrite>
</system.webServer>

This would allow requests from the IPs 127.0.0.1 and 192.168.1.15 while redirecting all requests from any other IP to the 404.html page.

Why Lose Memories?

Blacklist IP Addresses

To prevent requests from a list of blacklisted IPs, first add the following rule to web.config’s <rewriteMaps> section (create the rewriteMaps key if it doesn’t exist):

<system.webServer>
	<rewrite>
		<rewriteMaps>
			<rewriteMap name="Blacklist">
				<add key="103.22.66.175" value="1" />
			</rewriteMap>
		</rewriteMaps>
	</rewrite>
</system.webServer>

Then add the following to your web.config’s <rules> section:

<system.webServer>
	<rewrite>
		<rules>
			<rule name="Reject blacklisted IPs">
				<match url=".*" />
				<conditions>
					<add input="{Blacklist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" />
				</conditions>
				<action type="CustomResponse" statusCode="403" statusReason="Forbidden" />       
			</rule>	
		</rules>
	</rewrite>
</system.webServer>

For clarity, this is how the web.config would reflect these additions:

<system.webServer>
	<rewrite>
		<rewriteMaps>
			<rewriteMap name="Blacklist">
				<add key="103.22.66.175" value="1" />
			</rewriteMap>
		</rewriteMaps>
		<rules>
			<rule name="Reject blacklisted IPs">
				<match url=".*" />
				<conditions>
					<add input="{Blacklist:{REMOTE_ADDR}}" matchType="Pattern" pattern="1" />
				</conditions>
				<action type="CustomResponse" statusCode="403" statusReason="Forbidden" />       
			</rule>
		</rules>
	</rewrite>
</system.webServer>

This would prevent requests from the IP 103.22.66.175 by returning a 403 Forbidden response. Requests from all other IPs are allowed.

In More Detail

Blacklisting by IP is probably the oldest way to blacklist, and works very well for denying access to site scrapers, trolls, and other malicious visitors.

While IP blacklisting can be circumvented by using a different computer with a different IP address, a tunneling VPN service, or a proxy server or network, a vast majority of the malicious requests made are done so by lazy or relatively uninformed individuals who use the same machine and have little sophistication in how they operate. IP blacklisting is a simple way to take advantage of their laziness, and causes no harm by adding these rules.