Put the firewall up FIRST, and open essential ports as necessary. This is network security 101.
I think the question is whether or not you trust iptables to be the firewall, or whether or not you have a dedicated device as a firewall.
Sadly, as a security device, dedicated firewalls are their own can of worms. For example, firmware updates for dedicated firewall devices are often much less frequently issued, and the update process is typically far more painful than you'd see as a mindful admin for a Linux box. Many "dedicated firewall" devices are little more than Linux + iptables + proprietary interface anway, meaning you aren't protected at all if there's a common kernel flaw found. Lastly, being heavily stripped down, you have no way to audit them to see if they *are* compromised, because half your toolchain is missing even if you do have shell access, even though, as a full-fledged, turing complete computing device, they are quite useful to a black hat.
All that said, I do frequently use dedicated firewalls, but also use locked down Linux servers interchangeably. Given the 10+ years of excellent security track record I've maintained going this route, I'm pretty confident this doesn't mean I'm incompetent, as would seem to be the opinion around here.
I am a bit paranoid about security, disabling password access anywhere possible, relying on default-deny firewalls, using port-knocking & non-standard ports for SSH, not using non-ssl connections for *anything* administrative, VPNs required for access to insecure services like IPMI, etc.