How to Configure IP Address Range Restrictions in IIS 7 for Specific IP Ranges (192.168.100.100-120)


2 views

html

When working with IIS 7's IP Address Restrictions feature, you might encounter limitations when trying to specify a range of IP addresses. The interface appears to only accept single IP addresses in the "IP Address Range" field, while requiring either a subnet mask or prefix length in the "Mask or Prefix" field.

For your specific requirement to allow access from 192.168.100.100 through 192.168.100.120, IIS 7 doesn't provide a direct "from-to" range input. Instead, you'll need to use CIDR notation or subnet masks to define your range.

The most efficient way to handle this is to calculate the smallest CIDR block that encompasses your entire range:

1. Identify the range: 192.168.100.100 - 192.168.100.120
2. Calculate the CIDR: /27 (255.255.255.224) would cover 192.168.100.96-127
3. In IIS:
   - IP Address Range: 192.168.100.96
   - Mask or Prefix: 255.255.255.224 or /27

If you need to be more precise and only allow exactly 192.168.100.100-120, you'll need to create individual entries:

<ipSecurity allowUnlisted="false">
    <add ipAddress="192.168.100.100" allowed="true" />
    <add ipAddress="192.168.100.101" allowed="true" />
    <!-- Continue through 120 -->
</ipSecurity>

For larger ranges, use PowerShell to generate the entries:

$start = 100
$end = 120
$baseIP = "192.168.100."

$config = '<ipSecurity allowUnlisted="false">'
for ($i = $start; $i -le $end; $i++) {
    $config += "n    <add ipAddress="$baseIP$i" allowed="true" />"
}
$config += "n</ipSecurity>"

# Save to applicationHost.config or web.config
$config | Out-File -FilePath "C:\temp\ipSecurity.config"

After implementation, verify using:

1. From an allowed IP: Should get normal response
2. From a blocked IP: Should receive 403.6 error
3. Check IIS logs for verification
  • CIDR ranges will include more IPs than your exact range
  • Multiple entries increase configuration size
  • Changes might require IIS reset
  • Consider using URL Rewrite module for more complex scenarios

When working with IIS 7's IP restriction feature, you'll notice it requires either:

  • A single IP address
  • An IP address range defined by either:
    • CIDR notation (Prefix)
    • Subnet mask (Mask)

For your case of allowing 192.168.100.100 through 192.168.100.120, we need to calculate the appropriate CIDR or subnet mask that covers this range without being too permissive.

The range 192.168.100.100-192.168.100.120 includes 21 addresses. The smallest CIDR block that contains this range is 192.168.100.96/27 which gives us addresses from 192.168.100.96 to 192.168.100.127.

Network Address:   192.168.100.96
Broadcast Address: 192.168.100.127
Usable Range:      192.168.100.97 - 192.168.100.126

You have two valid approaches:

Option 1: Using CIDR Notation

IP Address Range: 192.168.100.96
Prefix: 27

Option 2: Using Subnet Mask

IP Address Range: 192.168.100.96
Mask: 255.255.255.224

If you absolutely must restrict to exactly 100-120 and can't use the wider /27 block:

<ipSecurity>
    <add ipAddress="192.168.100.100" allowed="true" />
    <add ipAddress="192.168.100.101" allowed="true" />
    <!-- Additional entries for 102-119 -->
    <add ipAddress="192.168.100.120" allowed="true" />
</ipSecurity>

After implementing, test access from:

  • An allowed IP (should work)
  • A blocked IP outside the range (should be denied)
  • Edge cases (192.168.100.96 and 192.168.100.127 if using /27)