adf
By:
adf

Isolating network from other droplets

March 7, 2013 2.7k views
I see lots of ARP and UDP activity from other hosts on the same network as my droplet, despite not obviously allowing those in iptables (though I allow RELATED and ESTABLISHED) Is there a way to isolate my doplet from the rest of the subnet without affecting its internet access?
3 Answers
Example of traffic seen

root@locutus:/var/log# tcpdump src net 192.81.223/24 and dst net 192.81.223/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:15:16.557076 ARP, Request who-has ubuntunorge.com tell 192.81.223.2, length 46
10:15:17.854127 ARP, Request who-has 192.81.223.1 tell 192.81.223.1, length 46
10:15:18.753579 IP 192.81.223.118.17500 > 192.81.223.255.17500: UDP, length 123
10:15:19.853784 ARP, Request who-has 192.81.223.1 tell 192.81.223.1, length 46
10:15:21.853997 ARP, Request who-has 192.81.223.1 tell 192.81.223.1, length 46
10:15:22.072348 ARP, Request who-has synth.pl tell 192.81.223.3, length 46
10:15:22.555656 ARP, Request who-has 192.81.223.28 tell 192.81.223.2, length 46

10:16:53.186513 IP do1.maykastudio.ru.17500 > 192.81.223.255.17500: UDP, length 112

10:17:13.011074 ARP, Request who-has 192.81.223.51 tell 192.81.223.3, length 46
10:17:13.011116 ARP, Reply 192.81.223.51 is-at 04:01:01:97:7d:01 (oui Unknown), length 28

So thats ARP requests from .1 .2 and .3 hosts (only those) and some other hosts doing UDP broadcasts
We would need to review your iptables rules to see what traffic you are blocking and how, if you like and you are not talking to any other virtual servers you can just drop all traffic from other hosts on the network and only allow your own droplets to communicate with each other.
This is a problem guys.... why are you okay with being able to browse all network traffic on the same segment, even if the destination is not localhost?

Are the droplets connected via hub? How have you misconfigured the VSwitch? This is a big privacy issue even for those that do ssl-everywhere...
Have another answer? Share your knowledge.