Use the Remote Address Filter Valve. [A valve, Tomcat only, is a Java class that preprocesses access requests. You can associate valves in server.xml to the containers engine, host and context.] It allows you to specify, at configuration time, whether or not requests coming from certain (sets of) IP addresses should be allowed or denied (using regular expressions). By default, all accesses are allowed. Look in server.xml for RemoteAddrValve.
<Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="127.0.0.*"/>