1.1.3  ::  Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

Here you need to be sure that you have an iptables server with no other services running on it to function as a border firewall from the internet to your DMZ.  This also means that you cannot run iptables on your webserver and mark this as compliant.  You have to have this firewall as a separate server ‘before’ the connection reachs your webserver.  The rational behind that is if your webserver gets compromised, it means your border firewall is still untouched.