Windows IP restrictions via URL Rewrite in Windows 2008

Restricting IP's from accessing your site within Web.Config


Denying IP's to your website within Web.Config quickly. You can also use the IIS Manager to do this as well

This article will guide you through denying IP addresses from accessing your website by using the URL Rewrite module in IIS. This is also possible by using the IP and Domain restrictions in IIS by submitting a verified ticket here:


Assuming you have a clean site, and that you have basic knowledge of HTML, XML, and FTPing files to your site, you should be able to copy and paste the code provided. If you already have a Web.Config file, you should maneuver around it only changing required parts. Always remember to make a backup!


First create a file and name it web.config and we Upload the file to the root of the site and you should be able to block any IP you wish on the fly.
01.<!-- Heading for the XML File -->
02.<?xml version="1.0" encoding="UTF-8"?>
04.    <system.webServer>
05.        <rewrite>
06.            <!-- This is where the rules start, this one will block EVERYTHING on your site with the <match url=".*" /> -->
07.            <rules>
08.                <rule name="Blocked Users" stopProcessing="true">
09.                    <match url=".*" />
10.                    <conditions>
11.                        <!-- This will just go to the 'Bad Ips' rewriteMap below and compare it to the REMOTE_ADDR which is the requesting IP -->
12.                        <add input="{Bad Ips:{REMOTE_ADDR}}" pattern="1" />
13.                    </conditions>
14.                    <!-- Actions can be Custom Rewrite, Redirect, or Just Abort Request, uncomment examples as needed -->
15.                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
16.                    <!-- This one will rewrite url to specified file
17.                    <action type="Rewrite" url="error.html" appendQueryString="false" /> -->
18.                    <!-- This on will redirect to another site
19.                    <action type="Redirect" url="" appendQueryString="false" /> -->
20.                    <!-- This one will just Abort
21.                    <action type="AbortRequest" /> -->
22.                </rule>
23.            </rules>
24.            <!-- This rewrite Map is where you choose your blocked IP's, values with 1 are blocked, all others are ignored, simple add your keys -->
25.            <rewriteMaps>
26.                <rewriteMap name="Bad Ips">
27.                    <!-- This one will use wildcards -->
28.                    <add key="108.166.*.*" value="1" />
29.                    <!-- This one wil use static IP -->
30.                    <add key="" value="1" />
31.                </rewriteMap>
32.            </rewriteMaps>
33.        </rewrite>
34.    </system.webServer>


There are many other ways to manage rewrite rules, this is just a basic example, see  for more information.

Add Feedback