As far as I know, a determined attacker would have no major issues in hacking the IP address of the packets contained by his (web) request.
Therefore, I cannot see how an Access Control List (such as the ones listed below) might improve the security of a server, as determined "users" can simply bypass the restriction.
Thank you :)
IP spoofing (what you incorrectly call "hacking the IP address of the packets") isn't easy for TCP because you should also be able to receive the response even before being able to send actual application data (like an HTTP request).
IP-based restrictions should never be the only line of defense, but it's a good idea to still use it to lock down administrative accounts when you only plan to use them from the same network location; in the unfortunate event when your credentials are compromised the attacker will also need to somehow get access to that trusted location (by compromising that machine or a router in its path to your locked down system so he can appear to come from that location and receive the reply packets) to be able to use it as a pivot to log into the locked down system using those credentials