Pentaho just runs on Tomcat. So look at either Tomcat or Apache for this, e.g:
Tomcat Restrict access by IP address
(using valves)
It does have inbuilt restriction on where the Admin console can connect from, but it doesnt sound like you're talking about that.