diff --git a/README.md b/README.md
index b7ceac93..5590107d 100644
--- a/README.md
+++ b/README.md
@@ -2469,6 +2469,8 @@ options:
   --filtered-upstream-hosts FILTERED_UPSTREAM_HOSTS
                         Default: Blocks Facebook. Comma separated list of IPv4
                         and IPv6 addresses.
+  --filtered-client-ips-mode FILTERED_CLIENT_IPS_MODE
+                        Default: "blacklist". Can be either "whitelist" (restrict access to specific IPs) or "blacklist" (allow everything except specific IPs).
   --filtered-client-ips FILTERED_CLIENT_IPS
                         Default: 127.0.0.1,::1. Comma separated list of IPv4
                         and IPv6 addresses.
diff --git a/proxy/plugin/filter_by_client_ip.py b/proxy/plugin/filter_by_client_ip.py
index 2f199042..8f0e7841 100644
--- a/proxy/plugin/filter_by_client_ip.py
+++ b/proxy/plugin/filter_by_client_ip.py
@@ -21,6 +21,14 @@ from ..http.parser import HttpParser
 from ..http.exception import HttpRequestRejected
 
 
+flags.add_argument(
+    '--filtered-client-ips-mode',
+    type=str,
+    default='blacklist',
+    help='Default: blacklist.  Can be either "whitelist" (restrict access to specific IPs)'
+    'or "blacklist" (allow everything except specific IPs).',
+)
+
 flags.add_argument(
     '--filtered-client-ips',
     type=str,
@@ -30,15 +38,23 @@ flags.add_argument(
 
 
 class FilterByClientIpPlugin(HttpProxyBasePlugin):
-    """Drop traffic by inspecting incoming client IP address."""
+    """Allow only (whitelist) or Drop only (blacklist) traffic by inspecting incoming client IP address."""
 
     def before_upstream_connection(
             self, request: HttpParser,
     ) -> Optional[HttpParser]:
         assert not self.flags.unix_socket_path and self.client.addr
-        if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
-            raise HttpRequestRejected(
-                status_code=httpStatusCodes.I_AM_A_TEAPOT,
-                reason=b'I\'m a tea pot',
-            )
+        assert self.flags.filtered_client_ips_mode in ('blacklist', 'whitelist')
+        if self.flags.filtered_client_ips_mode == 'blacklist':
+            if self.client.addr[0] in self.flags.filtered_client_ips.split(','):
+                raise HttpRequestRejected(
+                    status_code=httpStatusCodes.I_AM_A_TEAPOT,
+                    reason=b'I\'m a tea pot',
+                )
+        elif self.flags.filtered_client_ips_mode == 'whitelist':
+            if self.client.addr[0] not in self.flags.filtered_client_ips.split(','):
+                raise HttpRequestRejected(
+                    status_code=httpStatusCodes.I_AM_A_TEAPOT,
+                    reason=b'I\'m a tea pot',
+                )
         return request