Quick note to myself, as I keep forgetting the syntax, though it is so easy — to block an incoming connection by null routing or rejecting the connection is as simple as
route add -host IP reject
To apply this to a whole subnet range, use the -net as you would with the /24 mask (or the appropriate subnet, /29 or smaller should do), eg
route add -net IP/RANGE reject
To undo this,
route delete IP