I'm running Redis on my webserver (Debian/Nginx/Gunicorn) for session storage and have reasons to believe my Redis server is being hacked. It's definitely possible because if I run the command "redis-cli -h (HOST IP)" on a different machine against the web server, I can get into the console and run commands. I have two questions. First, if I add a new section to my iptables files as shown below, will I be correctly blocking access to my Redis server from all machines except the webserver itself? Redis is running on the default port 6379.

*filter

-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow pings, SSH, and web access
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# NEW SECTION...
# IS THIS CORRECT?
-A INPUT -p tcp --dport 6379 -j DROP
-A INPUT -p tcp -s 127.0.0.1 --dport 6379 -m state --state NEW -j ACCEPT
# END NEW SECTION

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Second, if the above is correct, can I still use 127.0.0.1 in the IPv6 version of my iptables or do I need to use "::1"?

Thanks.

You should be able to do this through the Redis configuration file:

# By default Redis listens for connections from all the network interfaces  
# available on the server. It is possible to listen to just one or multiple 
# interfaces using the "bind" configuration directive, followed by one or 
# more IP addresses. 
# 
# Examples: 
# 
# bind 192.168.1.100 10.0.0.1 
# bind 127.0.0.1

modify redis.conf file :

bind 127.0.0.1 ==> redis instanse will accept connections only from localhost

bind 127.0.0.1 xxx.xx.xx.xxx ==> if you want to accept connections from out server add ip of the server

#bind 127.0.0.1 ==> comment this line will make redis listens from any network interface