Sometimes you may want to prevent a specific IP address from accessing your machine or server. There's a variety of methods with pros and cons:
Application Level
If you really just want to prevent a specific IP from accessing a specific application on your machine, you may be able to reconfigure that app to block specific IPs. For example, if you're using IIS, you can configure it to block IPs in this window:
Note that if you use this IIS feature, you should be aware that it prevents HTTP.SYS kernel mode caching from being used (see the last bullet on this page), though most sites probably won't notice a difference.
Windows Firewall
The Windows Firewall control panel can be used to only allow specific IPs and IP-ranges:
The main problem here is that this is an Allow List, as opposed to a Deny List. So you'll have to "invert" your IP address to accomplish a "block".
Tip: To prevent from locking yourself out of your machine, it may be useful to start a batch file like the following before you change your firewall rules:
sleep 30
netsh firewall set opmode DISABLE
Provided that you have sleep.exe in your %PATH%, this will wait 30 seconds, then disable the Windows Firewall completely (just like clicking 'Off' in the Windows Firewall control panel). The idea is that if you tweak the UI and you accidentally lock yourself out, just wait 30 seconds and the firewall will be disabled. Or, if you tweaked it properly, just Ctrl-C the batch file to prevent the batch file from disabling the firewall.
IPsec
This tutorial explains how to use IPsec on Windows Server 2003 to block specific IPs.
Additional Tips:
- If you don't want to use the MMC IP Security Policies snap-in GUI to "assign the policy", you can use this netsh command:
netsh ipsec static set policy name="Packet Filters - Your Web Host" assign=yes - Similarly, to unassign the policy (i.e. stop using these IPsec rules), run:
netsh ipsec static set policy name="Packet Filters - Your Web Host" assign=no - To prevent from locking yourself out of your machine, it may be useful to start a batch file like the following before you tweak the IPsec settings:
sleep 30
netsh ipsec static set policy name="Packet Filters - Your Web Host" assign=noProvided that you have sleep.exe in your %PATH%, this will wait 30 seconds, then disable the IPsec policy (just like choosing "Un-assign" in the IP Security Policies snap-in GUI). The idea is that if you tweak the IPsec settings and you accidentally lock yourself out, just wait 30 seconds and the IPsec settings will be deactivated. Or, if you tweaked it properly, just Ctrl-C the batch file to prevent the batch file from deactivating the settings.
- If you make your IPsec block list too big, you may encounter a perf slowdown. For example, as a test, I put 7,000 IP addresses in an IPsec block list and CPU usage went through the roof when the machine was under network stress. I think in practice if you keep the number low, you won't notice any perf change so this is still a very useful technique.
Ask your ISP
The main problems with all the approaches described above are the following:
- You're still paying for the bandwidth for all the traffic reaching your box, even if you discard it using the methods above.
- It still consumes resources of your machine to discard traffic.
If you ask your ISP/webhost/colo/upstream to block IPs, they may be able to solve these issues for you, though obviously then you may lose some agility in terms of how quickly you can add/remove IPs from the blocklist, etc.