If you don’t have money for a normal ddos ​​protection, then your options are as follows:
1 smoke the netstat exhaust with different keys and think whether it is possible to distinguish the client IP from the attacking IP by the number of connections, if so, smoke the documentation on the iptables connlimit module
2 smoke the tcpdump exhaust or wireshark we are looking for a pattern in the packets that bombard you - in text or byte order, if we have found the iptables documentation for the string module.

Contact your hosting provider, as a rule, most hosting companies have a DDoS protection service.

Crushing the channel is the easiest thing. And from this, few will save. And then you need to think. After all, the user somehow acts, so cut off these scenarios. After all, let's say 200 rps from one user to the search engine is unlikely? Then ban this bot.

the server is configured with IPTables, fail2ban + firewall from Hetzner is configured to allow only TCP requests, to no avail

Apparently, some of the listed measures are not set up well enough (do you have, for example, a restriction on the geolocation of addresses?). If the entire channel is surviving, this is one thing, but if it rests on the processor, it means that you are not actively pushing the IPs, and the application, therefore, is poorly optimized.

1) For a port that should be open to users - open a support ticket from Hetzner with a request to protect it.
The second option is Cloudflare
2) Close all "your" services for the Internet, open for your IP or via VPN