Before You Touch Anything: Safe Mode The Core Principle: Keep It Readable Use Interface Lists, Not Interface Names Default Deny, With Logging The Input Chain: Protecting the Router Itself The Forward Chain: Controlling What Passes Through Context: VLAN Segmentation Context: Sitting Behind Cloudflare What to Leave Out Summary