I am trying to do something that in theory should be extremely easy but doesn't seem to work for me. I want to take a port that has mirrored traffic (used for my web-filtering product) and eliminate all of the traffic from networks that are not filtered. I want to do this by using Citrix XenServer and the iptables built into the server and DROP the packets that do not match what I want to accept. I have attached a basic design.
Simple explanation:
Traffic comes across span, hits the physical server, iptables filters off traffic, remaining traffic is visible to Windows Virtual servers.
Network Design