You plan to build a web server that needs to be restricted to certain users on the Internet with static IPs as it involves sensitive information. As always, security is one of the most important consideration to administrators and putting up services in public networks means being paranoid is warranted.
There are many ways to secure your web server.
First of all, the basic thing you can do is secure it with SSL. There is no point in restricting access when you allow unauthorised users the ability to possibly sniff an established session for sensitive information.
Next, restrict access to it by IP. You can edit your web server configuration files to accept connection only from the IPs you trust.
You can also restrict access by using certificates if it is not a hassle.
If you are paranoid, you can also implement usernames and password although this would be an overkill on top of certificates.
You have pretty much covered all that you need to at this stage although it is not impossible that they might not be enough.
You see, when you restrict your web server only to trusted IPs, hackers can masquerade as those IPs and still gain access. Of course, the other security measures we have taken such as certificates etc are the secondary security layer which should prevent such unauthorised access but what if all those layers were penetrated?
This is where modifying the system's default gateway will help.
Say for example your clients are on IP range of 18.104.22.168/24
route del gw [current gateway]
route add -net 22.214.171.124/24 gw [current gateway]
route delete 0.0.0.0 mask 0.0.0.0 [current gateway]
route add 126.96.36.199 mask 255.255.255.0 [current gateway] -p
What this does is to inform the operating system the web server is running on how to communicate to trusted host other than the ones within the same local network. So even if an unauthorised host masquerades as a trusted host and able to fool the web server, the operating system however will not be able to communicate with the unauthorised host because it has no information on how to do that.
Even if the operating system if fooled into thinking that a packet is coming from a trusted host when it is actually not, it will still try to communicate back with the trusted host and not the unauthorised host. The communication will obviously fail because no host from the trusted IPs initiated it.
A simply analogy is when someone disguised as John to get your data. When you use the web server IP restriction security feature, you are simply telling the web server to release the data to a person named 'John' but anyone can simply disguised as John and get the data.
By modifying the default gateway, it does not matter who disguises as John because the data will be sent to the real John. Since the real John did not ask for the data, the data will not reach anyone and kept safe.
Even if the server is fooled and tried to sent the data to the fake John's address, the operating system is not able to because it only has the real John's address to outgoing delivery and no one else.
So there you go. Hope it helps but remember, doing this means you are cutting the web server off from any other host other than the local network it's on and the specified IPs but that's what being paranoid is all about.