Quick note to myself, as I keep forgetting the syntax, though it is so easy — to block an incoming connection by null routing or rejecting the connection is as simple as

route add -host IP reject

To apply this to a whole subnet range, use the -net as you would with the /24 mask (or the appropriate subnet, /29 or smaller should do), eg

route add -net IP/RANGE reject

To undo this,

route delete IP