IPMI modules are a great way to get full control over a remote server, without buying extra remote console / remote power hardware. You can take over the entire server, do KVM or serial over IP, and it’s even possible to mount ISO’s on a local workstation, and boot the server off it.
The problem is, IPMI modules should only be accessible from a management network that is not publicly reachable.
Recently I wanted to place my server in a (shared) co-location facility, unable to use a private network for the IPMI module in my supermicro server. The original plan was to use a local iptables firewall on the IPMI module itself, as it runs an ARM linux implementation. Unfortunately the iptables install included with the firmware is severely broken, and can’t be used:
# iptables -I INPUT -p tcp -s x.x.x.x -j ACCEPT
iptables v1.2.11: Couldn't load target `standard':/lib/iptables/libipt_standard.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
#
Crosscompiling iptables is an option, but would also mean extensive modification of the flash image, as there is no (easy) way to transfer files to the BMC, and flash storage space is limited.
The customized linux install also doesn’t allow for safe shutdown of unneeded services, and this would still expose the module to the internet. This post at serverfault shows that I’m not the only one looking for a solution for this.
In the end, a friend (thanks mtp!) came up with a simple solution to at least limit access to the public IPMI IP – simply removing the default gateway, and setting routes to some static IP’s that are allowed to connect. In combination with a small enough netmask, this is secure enough for my purposes.
