How to Block IP Ranges in IIS7 Using IPv4 Subnet Mask Notation


7 views

When dealing with malicious traffic or implementing security policies, web administrators often need to block entire IP ranges. IIS7 provides built-in functionality for this through its "IP Address and Domain Restrictions" feature. The key challenge is correctly expressing IP ranges using proper subnet mask notation.

To block an entire range like 119.30.47.xx (where xx represents any value from 0-255), you need to understand how subnet masks work:

  • A standard IPv4 address has 32 bits divided into four octets
  • The subnet mask determines which portion is fixed (network) and which is variable (host)
  • Each "x" in your range represents 8 bits of variability

For the example 119.30.47.xx, here's how to configure it:

1. Open IIS Manager
2. Select your website or server node
3. Double-click "IP Address and Domain Restrictions"
4. Click "Add Deny Entry"
5. Enter these values:
   - IP address: 119.30.47.0
   - Subnet mask: 255.255.255.0
6. Click OK

This configuration will block all IP addresses from 119.30.47.0 to 119.30.47.255.

For more complex scenarios, you can use different subnet mask values:

Range to Block IP to Enter Subnet Mask
119.30.xx.xx 119.30.0.0 255.255.0.0
119.xx.xx.xx 119.0.0.0 255.0.0.0
119.30.47.128-255 119.30.47.128 255.255.255.128

For programmatic control or deployment scenarios, you can configure IP restrictions directly in web.config:

<system.webServer>
  <security>
    <ipSecurity allowUnlisted="true">
      <add ipAddress="119.30.47.0" subnetMask="255.255.255.0" allowed="false" />
      <add ipAddress="203.0.113.64" subnetMask="255.255.255.224" allowed="false" />
    </ipSecurity>
  </security>
</system.webServer>

After implementing restrictions:

  1. Test from a blocked IP to verify the 403.6 response
  2. Check IIS logs for "sc-status 403" entries
  3. Use PowerShell to verify configuration:
Import-Module WebAdministration
Get-WebConfigurationProperty -Filter "/system.webServer/security/ipSecurity" -Name "."

Many programmers may encounter the need to ban certain IP ranges in IIS7 for security or other operational reasons. In this article, we'll explore how to achieve this.

The programmer has a list of IP ranges to ban, such as 119.30.47.xx, where "xx" can be any value. When trying to add a deny entry in IIS's domain and IP restrictions, the question is what values to enter.

1. **Understand the IP Range Format**:
- In the case of 119.30.47.xx, this is a partial IP address. In IIS7, when dealing with IP ranges, we need to convert this into a format that IIS can understand. For an IP range like this, we can use the subnet mask concept.
- The IP address 119.30.47.xx can be thought of as a range from 119.30.47.0 to 119.30.47.255. In subnetting terms, if we consider the IP address 119.30.47.0, and we want to include all the addresses from 0 to 255 in the last octet, the subnet mask for this range would be 255.255.255.0.
2. **Entering Values in IIS7**:
- When adding a deny entry in IIS7's domain and IP restrictions:
- In the "IP address" field, enter 119.30.47.0.
- In the "Subnet mask" field, enter 255.255.255.0.
- Here is an example of how it might look in code (although this is more of a configuration - not actual programming code in a traditional sense):
xml




- This XML - like configuration can be used to add the IP range ban in IIS7. If you are using the IIS management console, you would follow the steps of navigating to the site, going to "IP Address and Domain Restrictions", and then adding the deny entry with the appropriate IP address and subnet mask values as described above.