The aim of this guide is to demonstrate how to programmatically configure the IIS 7 IPv4 address deny rules using VB.NET codes.
Pre-requisites
The default installation of IIS does not include the role service or Windows feature for IP security. To use IP security on IIS, you must install the role service or Windows feature.
See https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/ipSecurity/ for more info.
Once you have installed the IP security feature in IIS, you can open up your Visual Studio. Navigate to the Nuget Package Manager in Visual Studio, then install the Microsoft.Web.Administration package.
Next, you will need to download the IP2Location CIDR file.
Download the DB1 CIDR file and extract the IP2LOCATION-IP-COUNTRY.CIDR.CSV file.
Converting the CIDR data and inserting into the IIS deny rules
For our example, we will be using a Windows console application to insert Vietnam IP addresses into the deny list.
Create a file called IISDenyList.vb and paste the following codes into that file.
Imports System.IO
Imports Microsoft.Web.Administration
Module IISDenyList
Sub Main()
' countries to block
Dim filterCountries As String() = {"VN"}
' folder where CIDR file is located
Dim folder As String = "C:\your folder\"
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim ipSecuritySection As ConfigurationSection = config.GetSection("system.webServer/security/ipSecurity", "Default Web Site")
Dim Collection As ConfigurationElementCollection = ipSecuritySection.GetCollection()
Dim newElement As ConfigurationElement
' clear existing IPs
Collection.Clear()
Dim line As String
Dim colArr() As String
Dim countryCode As String
Dim CIDR As String
Dim CIDRArr As String()
Dim ipAddress As String
Dim prefix As Integer
Dim rawStr As String
Dim mask As String
' processing IP2Location CIDR file
Using sr As New StreamReader(folder & "IP2LOCATION-IP-COUNTRY.CIDR.CSV")
While sr.Peek <> -1
line = sr.ReadLine()
If line.Contains(",") Then
colArr = line.Split(",")
countryCode = colArr(1).Replace("""", "")
' if matched countries to block
If filterCountries.Contains(countryCode) Then
CIDR = colArr(0).Replace("""", "")
CIDRArr = CIDR.Split("/")
ipAddress = CIDRArr(0)
prefix = Integer.Parse(CIDRArr(1))
' convert prefix to subnet mask
rawStr = New String("1", prefix).PadRight(32, "0")
mask = Convert.ToByte(rawStr.Substring(0, 8), 2) & "." & Convert.ToByte(rawStr.Substring(8, 8), 2) & "." & Convert.ToByte(rawStr.Substring(16, 8), 2) & "." & Convert.ToByte(rawStr.Substring(24, 8), 2)
' add new deny rule
newElement = Collection.CreateElement()
newElement.SetAttributeValue("ipAddress", ipAddress)
newElement.SetAttributeValue("subnetMask", mask)
newElement.SetAttributeValue("allowed", False)
Collection.Add(newElement)
End If
End If
End While
End Using
' save entries to IIS
serverManager.CommitChanges()
End Sub
End Module
NOTE: To customize the code for your own use, edit the filterCountries array to store the ISO country codes for any countries you wish to block. You should also configure the folder variable to contain the path to where you have stored the CIDR file. Remember to run this code every month when you have downloaded a new copy of the CIDR file.
Alternatives solutions for IIS and .NET
The above codes are pretty straightforward but not very flexible in cases when you need to do selective filtering by URL or if you want to do more with the IP geolocation data.
There is another solution which works inside the IIS pipeline called the IP2Location HTTP Module. This module works transparently inside the IIS. Your website can be either PHP or ASP.NET, it doesn’t really matter as long as it is running inside the IIS. Website redirection and blocking can be easily configured via regular expressions while IP geolocation data can be obtained via server variables.
For those who want to query IP2Location data inside ASP.NET, the IP2Location .NET Component is best. The component can be instantiated and used by your .NET codes. What you do with the IP geolocation data it returns, that’s up to you. Fast queries and flexible usage.