How to Whitelist an IP Address (Every Platform)

IP whitelisting is one of the most effective ways to secure servers, APIs, and network resources. By allowing traffic only from trusted IP addresses, you reduce your attack surface dramatically. This guide covers how to whitelist IPs on every major platform and firewall.

Before you begin, you will need to know the IP address you want to whitelist. Visit WheresThatIP.com to find your current public IP, or use our IP Lookup tool to verify any IP address.

What Is IP Whitelisting?

IP whitelisting (also called "allowlisting") is a security practice where you create a list of trusted IP addresses that are permitted to access a resource. Any IP not on the list is denied access. This is commonly used to:

• Restrict access to admin panels and dashboards
• Secure API endpoints from unauthorized use
• Limit SSH and remote desktop access to known IPs
• Protect databases from external connections
• Control access to cloud infrastructure

Important Considerations

Before implementing IP whitelisting, keep these factors in mind:

• Static vs. dynamic IP — If your IP changes regularly (most home connections use dynamic IPs), whitelisting becomes impractical unless you use a VPN with a fixed IP or request a static IP from your ISP
• IPv4 and IPv6 — Make sure to whitelist both your IPv4 and IPv6 addresses if your network uses dual-stack. See our IPv6 guide for details
• CIDR notation — For whitelisting a range of IPs, you will use CIDR notation (e.g., 192.168.1.0/24 for all addresses from 192.168.1.0 to 192.168.1.255). Understanding subnet masks helps here

Windows Firewall

Allow a Specific IP

1. Open Windows Defender Firewall with Advanced Security (search for it in the Start menu)
2. Click Inbound Rules in the left panel
3. Click New Rule in the right panel
4. Select Custom and click Next
5. Leave "All programs" selected, click Next
6. Leave protocol settings as default, click Next
7. Under "Which remote IP addresses does this rule apply to?", select These IP addresses
8. Click Add and enter the IP address or range
9. Select Allow the connection
10. Name the rule and click Finish

PowerShell Method

New-NetFirewallRule -DisplayName "Allow Trusted IP" -Direction Inbound -RemoteAddress 203.0.113.50 -Action Allow

macOS Firewall (pf)

macOS uses pf (Packet Filter) for advanced firewall rules. Edit the configuration:

sudo nano /etc/pf.conf

Add a rule to allow traffic from a specific IP:

pass in from 203.0.113.50 to any

Reload the firewall:

sudo pfctl -f /etc/pf.conf

Linux (iptables)

Allow a specific IP on a port

# Allow SSH from specific IP
iptables -A INPUT -p tcp -s 203.0.113.50 --dport 22 -j ACCEPT

# Block SSH from all other IPs
iptables -A INPUT -p tcp --dport 22 -j DROP

Allow an IP range using CIDR

iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 443 -j ACCEPT

Save the rules (Ubuntu/Debian)

sudo iptables-save > /etc/iptables/rules.v4

Linux (UFW - Uncomplicated Firewall)

# Allow all traffic from a specific IP
sudo ufw allow from 203.0.113.50

# Allow a specific IP on a specific port
sudo ufw allow from 203.0.113.50 to any port 22

# Allow a subnet
sudo ufw allow from 203.0.113.0/24 to any port 443

AWS Security Groups

1. Open the EC2 Console and select Security Groups
2. Select your security group and click Edit inbound rules
3. Click Add rule
4. Set the type (e.g., SSH, HTTPS, Custom TCP)
5. Under Source, select Custom and enter the IP in CIDR format: 203.0.113.50/32
6. Click Save rules

For a single IP, always use /32 to specify an exact address.

AWS CLI Method

aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp \
  --port 22 \
  --cidr 203.0.113.50/32

Cloudflare

1. Log in to the Cloudflare dashboard
2. Select your domain
3. Go to Security then WAF
4. Click Tools
5. Under "IP Access Rules", enter the IP address
6. Select Allow from the action dropdown
7. Choose the scope (this website or all websites)
8. Click Add

Nginx Web Server

In your Nginx configuration file (e.g., /etc/nginx/sites-available/default):

location /admin {
    allow 203.0.113.50;
    allow 198.51.100.0/24;
    deny all;
}

Reload Nginx after changes:

sudo nginx -t && sudo systemctl reload nginx

Apache Web Server

In your .htaccess file or Apache configuration:

<Directory "/var/www/html/admin">
    Require ip 203.0.113.50
    Require ip 198.51.100.0/24
</Directory>

cPanel

1. Log in to cPanel
2. Navigate to Security then IP Blocker
3. To whitelist, use the cPanel IP Deny Manager — add block rules for all traffic except your whitelisted IPs
4. Alternatively, use .htaccess rules (Apache method above) for more granular control

Database Servers

MySQL/MariaDB

-- Create a user that can only connect from a specific IP
CREATE USER 'appuser'@'203.0.113.50' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON mydb.* TO 'appuser'@'203.0.113.50';

PostgreSQL (pg_hba.conf)

# Allow connections from a specific IP
host    mydb    appuser    203.0.113.50/32    md5

API Rate Limiting with IP Whitelist

Many APIs use IP whitelisting as an authentication layer. If you are using our WheresThatIP API, you can restrict your API key to specific IP addresses for additional security.

Troubleshooting IP Whitelisting

• Locked yourself out? — Access the server through a console (not network-dependent) to fix the rules
• IP keeps changing? — Consider getting a static IP or using a VPN with a fixed exit IP
• Behind a proxy or CDN? — Make sure you are whitelisting the correct IP. Use our DNS lookup to check
• IPv6 not working? — Ensure your whitelist includes both IPv4 and IPv6 addresses

Best Practices

• Always test whitelist rules before deploying to production
• Keep a backup access method (console access) in case you lock yourself out
• Document all whitelisted IPs and who they belong to
• Review and update the whitelist regularly — remove IPs that are no longer needed
• Use CIDR ranges sparingly — the narrower the range, the more secure
• Combine IP whitelisting with other security measures (authentication, encryption)