# iptables prevent nmap scanning

## dashko

Hello,

if i run 

```
nmap -A -T4 myserver.com
```

My server is not responding (means 0% load, but can't connect). Is there some solution (iptables) to prevent this "attack"?

Thanks.

My current iptables "attack" config:

```
##############################

### ATTACKS

##############################

# All TCP sessions should begin with SYN

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP

# Limit the number of incoming tcp connections

# incoming syn-flood protection

$IPT -N syn_flood

$IPT -A INPUT -p tcp --syn -j syn_flood

$IPT -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN

$IPT -A syn_flood -j DROP

# fragmented ICMP - sign of DoS attack

$IPT -A INPUT --fragment -p ICMP -j DROP

#Limiting the incoming icmp ping request:

$IPT -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT

$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:

$IPT -A INPUT -p icmp -j DROP

$IPT -A OUTPUT -p icmp -j ACCEPT

#Force Fragments packets check

$IPT -A INPUT -f -j DROP

#Incoming malformed XMAS packets

$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop all NULL packets

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# invalid and suspicious packets

$IPT -A INPUT -m state --state INVALID -j DROP

# Stealth scan 1

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "FWLOG: Stealth scan (1): "

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Stealth scan 2

$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "FWLOG: Stealth scan (2): "

$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Stealth scan 3

$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "FWLOG: Stealth scan (3): "

$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# Stealth scan 4

$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "FWLOG: Stealth scan (4): "

$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Stealth scan 5

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "FWLOG: Stealth scan (5): "

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Stealth scan 6

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "FWLOG: Stealth scan (6): "

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Port scan

$IPT -N port-scan

$IPT -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN

$IPT -A port-scan -j DROP

##############################

```

----------

## eccerr0r

At one point I had a Cisco 675 DSL CPE/router, that would crash if nmapped.  Turns out there's nothing I could do but replace the router with a more sane one.

What I wonder is what packets actually do arrive at your machine before it stops responding.  I suspect it's more the router or other upstream equipment getting choked, unless you're running the nmap locally (on the machiine being tested)?  Then that's more of a kernel problem...

----------

