Sorry, I had to learn it in production, where if you mess something up, you’re screwed, lmao.
I mostly used the man pages on iptables and a few online questions to find out some things, like what “limit burst” thing was all about (allow only an amount of traffic to go in, before blocking an IP or limiting it).
Nowadays, I just suggest people use things like fail2ban or CrowdSec, in combination with iptables. Just use some normal, small and “sane” rules (like allow port 22 in, allow 80 and 443 in if applicable, block everything else, keep it short), then these other 2 will take care of things like burst limit and such.
Iptables can get really complicated, especially if you go into multiple iptables chains. Avoid that and the mess it creates, just try using the default INPUT, OUTPUT, FORWARD (basically just first and last, as you don’t normally need to block output, unless you are blocking something like a facebook or something, if fb had a single IP address - which is normally easier to block via DNS, like pi-hole, adguard home or blocky and blacklisting it).
All the iptables commands you need to know are:
iptables -L -n -v --line-number
iptables -A <args> # append at the end of a chain, like -A INPUT
iptables -I <args> # insert at the top of a chain, like -I INPUT
iptables -I 4 # insert at line 4
iptables -D <args> # delete rule
iptables -D 4 # delete rule 4
iptables-save > /a/file
iptables-restore /a/file
iptables -I FORWARD -s <source> -d <destination> -m state --state RELATED,ESTABLISHED -j ACCEPT # mostly used for routing, but might have some uses if you block all input to a server; what this means is basically "allow connections that were established from destination initially to come in from a source which normally gets blocked by a deny-all rule"
And the basic formula for iptables (and nftables) is iptables -I <chain> [ -s <source ip> / -i <input ethernet interface> ] [ -d <destination ip> / -o <output ethernet interface> ] [ -p tcp / udp / icmp --dport / --sport <port> ] -j ACCEPT / DENY / DROP. Accept is obvious, deny is “return message immediately saying not allowed” and drop is “silently drop packets, pretending there’s no service running on that port.”
This is mostly what you need to learn for managing linux servers, but if you can, please use anything else as a network firewall, like OpenBSD / FreeBSD and pf. I’m still using iptables, only because initially on freebsd, I had no driver for a USB wifi 6 card (well, didn’t really have it in linux either, but had to compile a kernel module from github on 5.18 - after a few months, discarded that for a wifi 6 module instead, which seems to work in linux 6+ by default and it might work with freebsd or openbsd, which I’d probably change my router to).
If you have to use OpenWRT (which is good), then I’m sorry, you have to go through iptables. But at least you get a decent GUI to make some sense out of it. I’m migrating my whole network to OpenWRT wifi APs (although still keep my linux router for now).