Is it safe to restrict access to a site by IP?
I know there is something called "IP spoofing" - does this mean that (under some conditions) IP restriction is not accurate?
If a client forges its source IP address, it will be very difficult to establish a TCP connection, because as @cdhowie noted in a comment below, the client would need to ACK the server's SYN + ACK back, which it will never receive.
Spoofed IP addresses are mostly dangerous for denial of service attacks, as the attacker would not care about receiving responses to the attack packets, and they would be much more difficult to filter since each spoofed packet appears to come from a different address.