Configure the IPv4 Address Deny Rule in IIS 7 Using VB.NET

The aim of this guide is to demonstrate how to programmatically configure the IIS 7 IPv4 address deny rules using VB.NET codes.


The default installation of IIS does not include the role service or Windows feature for IP security. To use IP security on IIS, you must install the role service or Windows feature.

See for more info.

Once you have installed the IP security feature in IIS, you can open up your Visual Studio. Navigate to the Nuget Package Manager in Visual Studio, then install the Microsoft.Web.Administration package.

Next, you will need to download the IP2Location CIDR file.
Download the DB1 CIDR file and extract the IP2LOCATION-IP-COUNTRY.CIDR.CSV file.

Converting the CIDR data and inserting into the IIS deny rules

For our example, we will be using a Windows console application to insert Vietnam IP addresses into the deny list.
Create a file called IISDenyList.vb and paste the following codes into that file.

Imports System.IO
Imports Microsoft.Web.Administration
Module IISDenyList
    Sub Main()
        ' countries to block
        Dim filterCountries As String() = {"VN"}
        ' folder where CIDR file is located
        Dim folder As String = "C:\your folder\"
        Dim serverManager As ServerManager = New ServerManager
        Dim config As Configuration = serverManager.GetApplicationHostConfiguration
        Dim ipSecuritySection As ConfigurationSection = config.GetSection("system.webServer/security/ipSecurity", "Default Web Site")
        Dim Collection As ConfigurationElementCollection = ipSecuritySection.GetCollection()
        Dim newElement As ConfigurationElement
        ' clear existing IPs
        Dim line As String
        Dim colArr() As String
        Dim countryCode As String
        Dim CIDR As String
        Dim CIDRArr As String()
        Dim ipAddress As String
        Dim prefix As Integer
        Dim rawStr As String
        Dim mask As String
        ' processing IP2Location CIDR file
        Using sr As New StreamReader(folder & "IP2LOCATION-IP-COUNTRY.CIDR.CSV")
            While sr.Peek <> -1
                line = sr.ReadLine()
                If line.Contains(",") Then
                    colArr = line.Split(",")
                    countryCode = colArr(1).Replace("""", "")
                    ' if matched countries to block
                    If filterCountries.Contains(countryCode) Then
                        CIDR = colArr(0).Replace("""", "")
                        CIDRArr = CIDR.Split("/")
                        ipAddress = CIDRArr(0)
                        prefix = Integer.Parse(CIDRArr(1))
                        ' convert prefix to subnet mask
                        rawStr = New String("1", prefix).PadRight(32, "0")
                        mask = Convert.ToByte(rawStr.Substring(0, 8), 2) & "." & Convert.ToByte(rawStr.Substring(8, 8), 2) & "." & Convert.ToByte(rawStr.Substring(16, 8), 2) & "." & Convert.ToByte(rawStr.Substring(24, 8), 2)
                        ' add new deny rule
                        newElement = Collection.CreateElement()
                        newElement.SetAttributeValue("ipAddress", ipAddress)
                        newElement.SetAttributeValue("subnetMask", mask)
                        newElement.SetAttributeValue("allowed", False)
                    End If
                End If
            End While
        End Using
        ' save entries to IIS
    End Sub
End Module

NOTE: To customize the code for your own use, edit the filterCountries array to store the ISO country codes for any countries you wish to block. You should also configure the folder variable to contain the path to where you have stored the CIDR file. Remember to run this code every month when you have downloaded a new copy of the CIDR file.

Alternatives solutions for IIS and .NET

The above codes are pretty straightforward but not very flexible in cases when you need to do selective filtering by URL or if you want to do more with the IP geolocation data.

There is another solution which works inside the IIS pipeline called the IP2Location HTTP Module. This module works transparently inside the IIS. Your website can be either PHP or ASP.NET, it doesn’t really matter as long as it is running inside the IIS. Website redirection and blocking can be easily configured via regular expressions while IP geolocation data can be obtained via server variables.

For those who want to query IP2Location data inside ASP.NET, the IP2Location .NET Component is best. The component can be instantiated and used by your .NET codes. What you do with the IP geolocation data it returns, that’s up to you. Fast queries and flexible usage.

Was this article helpful?

Related Articles