Overview

Oracle Cloud instances are protected by two independent firewall layers that both must allow a connection before traffic reaches your application.

🌐 Internet Inbound traffic on any port ☁️ Oracle Security List Cloud-level ingress rules (22, 80, 443) 🔥 Linux iptables OS-level packet filter (22, 80, 443) ⚡ Nginx → Odoo Application layer (localhost only)

Both firewall layers must be configured — one alone is not sufficient

Both layers are required

Opening a port in only the Oracle Security List will still be blocked by iptables, and vice versa. You must configure both layers for traffic to reach Nginx.

Required Ports

Only three ports need to be publicly accessible. Port 8069 must remain private.

PortProtocolPurposePublic?
22TCP SSH remote access Yes
80TCP HTTP — Let's Encrypt challenge & permanent redirect to HTTPS Yes
443TCP HTTPS — all Odoo traffic Yes
8069TCP Odoo HTTP server (internal only) Never
Tip

After Nginx is configured, verify that Odoo only listens on loopback: sudo ss -tlnp | grep 8069 — the local address must be 127.0.0.1:8069, never 0.0.0.0:8069.

Oracle Cloud Security List

In the Oracle Cloud Console, navigate to Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List and add the following Ingress Rules.

Source CIDRIP ProtocolDestination PortDescription
0.0.0.0/0TCP22SSH
0.0.0.0/0TCP80HTTP / Let's Encrypt
0.0.0.0/0TCP443HTTPS
Do not add an ingress rule for port 8069

Never create a public ingress rule for TCP 8069. Odoo's built-in HTTP server is not hardened for direct Internet exposure.

IPv6

If your VM has a public IPv6 address, add the same rules with source CIDR ::/0 for each port.

Linux Firewall (iptables)

Ubuntu 24.04 uses iptables as its packet filter. Oracle Cloud VM images ship with a pre-loaded iptables ruleset that blocks most inbound traffic by default. You must explicitly allow the required ports.

Allow HTTP and HTTPS

bash
sudo iptables -I INPUT -p tcp --dport 80  -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT

SSH (port 22) is typically already allowed by the default Oracle ruleset. Verify with:

bash
sudo iptables -L INPUT -n --line-numbers

Persist the Rules

iptables rules are not persistent by default. Save them so they survive a reboot.

bash
sudo apt install -y iptables-persistent

sudo iptables-save | sudo tee /etc/iptables/rules.v4 > /dev/null
Verify after reboot

After saving rules, reboot the server once to confirm the firewall configuration survives a restart: sudo reboot. Then reconnect and re-check with sudo iptables -L INPUT -n --line-numbers.

Verification

bash
sudo ss -tlnp

curl -I http://127.0.0.1

curl -Ik https://example.com
  • SSH (port 22) is reachable
  • HTTP (port 80) returns a response from Nginx
  • HTTPS (port 443) returns a valid TLS response
  • Port 8069 is not accessible from outside the server
  • iptables rules are saved and survive a reboot

Common Issues

ProblemLikely CauseResolution
Connection timed out on port 80 or 443Port blocked in one or both firewall layersCheck the Oracle Security List ingress rules and sudo iptables -L INPUT -n
HTTPS not reachable, HTTP worksPort 443 not opened in iptablesRun sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT and save
Rules disappear after rebootiptables rules not persistedInstall iptables-persistent and save rules with iptables-save
Port 8069 accessible from InternetIncorrect Oracle Security List ruleDelete the ingress rule for TCP 8069 from the Oracle Security List
Odoo listens on 0.0.0.0:8069http_interface not setSet http_interface = 127.0.0.1 in /etc/odoo/odoo.conf and restart Odoo
Recommended production firewall posture
  • TCP 22 → SSH (restrict to known IPs if possible)
  • TCP 80 → HTTP (Let's Encrypt challenge + redirect)
  • TCP 443 → HTTPS (Odoo)
  • All other inbound ports → BLOCKED
Back to top