There are probably gazillion ways you can do this.
The first one that pops into mind would involve hooking into init and then do wp_redirect to a pretty error page on your root blog if the person is not allowed in: "You have tried to access a restricted blog. The Hunter Destroyers have been dispatched."
To check for the IP you can have a multi-dimensional load from site-meta that has a big list of blogID->ApprovedIP pairs and a UI to maintain it.
The function on init does an isset() to see if there is anything under that blog id. If that blog ID is not found, don't redirect - it's not a filtered blog. If there are entries for the blog, then look for the $_SERVER['REMOTE_ADDR'] in the 2nd dimension of the array. If found don't redirect else do.