Firewall rules that will cause problems for nmap

Yes. I don't remember the exact detail, but go look for a 'question' (actually, a Community Wiki) from me with the title "iptables Tips & Tricks". There, you can find an iptables rule specifically designed to stump nmap.

In addition, I deploy a TARPIT target in the INPUT chain. TARPIT basically 'traps' anyone trying to open a TCP connection by allowing the TCP three-way handshake, but afterwards locking the TCP Window Size to 0 and dropping all states regarding that connection in the firewall. The host that has tried to open a port is now trapped: connection is made, but it can't send anything, and since it never receives a FIN or a RST, it is stuck in TCP-Established state until TCP timeout*. Meanwhile, the firewall just chugs along merrily, since it has dropped all states of that connection, so no resource is being used.

A combination of both successfully stumped all kinds of portscanners. They die when they touch my firewall :)

* TCP timeout is a lot longer than TCP SYN timeout. About three orders of magnitude longer, IIRC. Thus, portscanners will run extremely slowly as its threads get stuck waiting for TCP timeout.

If you want prevent host from syn scan you can use 2 method:

1. Trap Method:

   iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 6 -m recent --name blacklist --set -j DROP

   iptables -A INPUT -m recent --rcheck --nam blacklist -j DROP

2. Normal way:

   iptables -A INPUT -p tcp --syn -m limit --limit 7/s -m recent --name blacklist --set -j DROP

   iptables -A INPUT -m recent --rcheck --nam blacklist -j DROP

if you want prevent your Host from FIN, ACK, Xmas or other scan tell me update my answer.

you might find this in teresting, it discribes how to detect and block portscans in realtime.