Firewall Configuration
Secure the Oracle Cloud VM using two independent firewall layers: the Oracle Security List
(cloud-level) and Linux iptables (OS-level). Both must allow traffic for it to reach Nginx.
Overview
Oracle Cloud instances are protected by two independent firewall layers that both must allow a connection before traffic reaches your application.
Both firewall layers must be configured — one alone is not sufficient
Opening a port in only the Oracle Security List will still be blocked by iptables, and vice versa.
You must configure both layers for traffic to reach Nginx.
Required Ports
Only three ports need to be publicly accessible. Port 8069 must remain private.
| Port | Protocol | Purpose | Public? |
|---|---|---|---|
| 22 | TCP | SSH remote access | Yes |
| 80 | TCP | HTTP — Let's Encrypt challenge & permanent redirect to HTTPS | Yes |
| 443 | TCP | HTTPS — all Odoo traffic | Yes |
| 8069 | TCP | Odoo HTTP server (internal only) | Never |
After Nginx is configured, verify that Odoo only listens on loopback:
sudo ss -tlnp | grep 8069 — the local address must be
127.0.0.1:8069, never 0.0.0.0:8069.
Oracle Cloud Security List
In the Oracle Cloud Console, navigate to Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List and add the following Ingress Rules.
| Source CIDR | IP Protocol | Destination Port | Description |
|---|---|---|---|
0.0.0.0/0 | TCP | 22 | SSH |
0.0.0.0/0 | TCP | 80 | HTTP / Let's Encrypt |
0.0.0.0/0 | TCP | 443 | HTTPS |
Never create a public ingress rule for TCP 8069. Odoo's built-in HTTP server is not hardened for direct Internet exposure.
If your VM has a public IPv6 address, add the same rules with source CIDR ::/0 for each port.
Linux Firewall (iptables)
Ubuntu 24.04 uses iptables as its packet filter. Oracle Cloud VM images
ship with a pre-loaded iptables ruleset that blocks most inbound traffic
by default. You must explicitly allow the required ports.
Allow HTTP and HTTPS
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
SSH (port 22) is typically already allowed by the default Oracle ruleset. Verify with:
sudo iptables -L INPUT -n --line-numbers
Persist the Rules
iptables rules are not persistent by default. Save them so they survive
a reboot.
sudo apt install -y iptables-persistent sudo iptables-save | sudo tee /etc/iptables/rules.v4 > /dev/null
After saving rules, reboot the server once to confirm the firewall configuration
survives a restart:
sudo reboot. Then reconnect and re-check with
sudo iptables -L INPUT -n --line-numbers.
Verification
sudo ss -tlnp curl -I http://127.0.0.1 curl -Ik https://example.com
- ✓ SSH (port 22) is reachable
- ✓ HTTP (port 80) returns a response from Nginx
- ✓ HTTPS (port 443) returns a valid TLS response
- ✓ Port 8069 is not accessible from outside the server
- ✓
iptablesrules are saved and survive a reboot
Common Issues
| Problem | Likely Cause | Resolution |
|---|---|---|
| Connection timed out on port 80 or 443 | Port blocked in one or both firewall layers | Check the Oracle Security List ingress rules and sudo iptables -L INPUT -n |
| HTTPS not reachable, HTTP works | Port 443 not opened in iptables | Run sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT and save |
| Rules disappear after reboot | iptables rules not persisted | Install iptables-persistent and save rules with iptables-save |
| Port 8069 accessible from Internet | Incorrect Oracle Security List rule | Delete the ingress rule for TCP 8069 from the Oracle Security List |
Odoo listens on 0.0.0.0:8069 | http_interface not set | Set http_interface = 127.0.0.1 in /etc/odoo/odoo.conf and restart Odoo |
- TCP 22 → SSH (restrict to known IPs if possible)
- TCP 80 → HTTP (Let's Encrypt challenge + redirect)
- TCP 443 → HTTPS (Odoo)
- All other inbound ports → BLOCKED