It seems wild to suggest that what amounts to an IP-based rate limit via netfilter could be “better than cloudflare”.
Part of what Cloudflare is providing is filtering methodology, but another major part is having a giant pipe. The average collocated server is gonna have a gigabit or 10gig uplink, so an attacker who can generate that much traffic (which is tiny as attacks go) is going to take your site offline even if you perfectly identify and drop 100% of their traffic once it hits your server.
DDoS mitigation better than Cloudflare (according to jart): https://github.com/jart/tokenbucket
The tyranny of Cloudflare: https://framagit.org/dCF/deCloudflare/-/blob/master/readme/e...