• Cloud Servers

    • Server Range

      Mammoth have a range of server solutions suitable for all types of web applications, large and small.

      Mammoth Cloud servers can be upgraded or downgraded at any time, providing almost unlimited growth potential.

       

      Whether you are running a small Wordpress blog, or a large Magento e-commerce platform, Mammoth has a solution suitable for your business - now, and in the future.

    • Windows Cloud VPS

      Choose from Windows 2012 R2 or Windows 2008 R2 and connect via Remote Desktop (RDP) after deployment.

      from$45/month
      Windows VPS Plans

    • Linux Cloud VPS

      Deploy your VPS in 60 seconds. Choose from CentOS, Debian, or Ubuntu and connect via SSH after deployment.

      from$25/month
      Linux VPS Plans

    • cPanel Cloud VPS

      Our cPanel cloud servers come pre-installed, just connect to the WHM web interface after deployment.

      from$70/month
      cPanel VPS Plans
  • Virtual Private Cloud
  • Server Management
  • Support
 

Blocking non-IP traffic in Xen

Friday, July 19, 2013

In a typical Xen installation, guest networking is provided via a bridge created on the host (the other common options being NAT or route). Traffic is received by the host from its ethernet port/s before being passed to the bridge; and the bridge then passes that traffic to the appropriate guest based on the destination MAC address.

This setup creates a scenario where each guest will act as though its physically plugged into a switch. While this is convenient, it also means guests will be able to both receive and send any type of layer 2 traffic such as Spanning Tree Protocol or ATA over ethernet.

If the guests are untrusted, then this level of network access is likely to be undesirable: instead, guests should be restricted to IPv4, IPv6, and ARP. Linux includes a tool called ebtables ("ethernet bridge tables") that can perform exactly this type of filtering. To do so, create a startup script containing the following:

ebtables -N PROTOCOLS
ebtables -A PROTOCOLS -p ip -j RETURN
ebtables -A PROTOCOLS -p ip6 -j RETURN
ebtables -A PROTOCOLS -p arp -j RETURN
ebtables -A PROTOCOLS -j DROP
ebtables -I FORWARD -j PROTOCOLS

Now each packet that is forwarded through the host's bridge will have its protocol checked; if it is not one of IPv4, IPv6, or ARP than the packet (ethernet frame) is dropped. Guests will be unable to emit undesired traffic, and will not receive unnecessary ethernet frames for other protocols.


By Nathan O'Sullivan

Post a comment
Preload Preload Preload