Having done a basic nmap and knowing what pi-hole is listening will it do any harm if I put up a firewall using iptables
No, unless you block Pi-hole from contacting the upstream server.
Thanks for prompt reply. On a side note can anything be done about referrer pages >
No, we cant change URLs or replace domains with other domains.
Not as far as Pi-hole is concerned (granted you allow the right ports), and the performance impact will be negligible, even on an RPi Zero - BUT make a strong mental note and/or document in some place very obvious that you did configure a firewall, just in case you want to expand your Pi-hole's capabilities at some later time (e.g. by adding third-party upstream DNS-over-TLS support utilizing port 853).
Edit:
And since you mention protection, please be aware that Pi-hole strongly discourages its users from running an open resolver (i.e. don't expose Pi-hole to public access).
Thanks for your response and yes. I am a firm believer in documenting what I do before I DO IT. I already have a backup of the main system and will implement the blocks in stages, leaving a space before I implement any others. Document, watch, document and then put in the next set. WHilst always having a roll back plan.
The Pi-Hole itself is running on PI4 4GB in a flirc case. Ok it might be overkill but the flirc case limits me from using hats so I thought I would put it to this task.