For this reason I've setup a OpnSense VM on my dedicated Hetzner server where all inbound and outbound IPv4/IPv6 traffic has to go through, it acts as a gateway for the host itself and my other VMs. OpnSense itself is a pretty powerful firewall with tons of other features.
Of course you'll lose access to your server if the OpnSense VM breaks or doesn't boot up for whatever reasons after an update or so, but after 2 years I haven't had any problems. But in case something goes wrong Hetzner offers some nice recovery options, even if you don't have internet access to you server you can access your volumes in some kind of VM and get access to it via a VNC like interface (I had to use this feature a few times during the initial setup which consisted of a lot of trial and error I locked myself out a few times).
I wouldn't run this setup for anything mission critical of course, it's way too hacky and an official firewall solution would be better, but for my personal purposes as a "home lab" like setup it works perfectly fine so far.
Of course you'll lose access to your server if the OpnSense VM breaks or doesn't boot up for whatever reasons after an update or so, but after 2 years I haven't had any problems. But in case something goes wrong Hetzner offers some nice recovery options, even if you don't have internet access to you server you can access your volumes in some kind of VM and get access to it via a VNC like interface (I had to use this feature a few times during the initial setup which consisted of a lot of trial and error I locked myself out a few times).
I wouldn't run this setup for anything mission critical of course, it's way too hacky and an official firewall solution would be better, but for my personal purposes as a "home lab" like setup it works perfectly fine so far.