linux防止nmap扫描

1、首先关闭Centos7自带的firewalld

[root@node ~]# systemctl disable firewalld.service && systemctl stop firewalld.service

2、安装iptables服务

[root@node ~]# yum install iptables-services iptables-devel  -y

[root@node ~]# systemctl enable iptables 

3、添加防止nmap扫描规则

3.1通修改配置添加

[root@node ~]# vim /etc/sysconfig/iptables

# Generated by iptables-save v1.4.21 on Tue Jul  9 21:09:09 2019

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0] 

-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT

-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT

-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#开放端口

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

 COMMIT

# Completed on Tue Jul  9 21:09:09 2019

 [root@node ~]# systemctl start iptables

3.3 使用iptables服务防止nmap扫描

[root@node ~]# iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

[root@node ~]# iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

[root@node ~]# iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

[root@node ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@node ~]# iptables -A INPUT -p icmp -j ACCEPT

[root@node ~]# iptables -A INPUT -i lo -j ACCEPT

[root@node ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

[root@node ~]# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

[root@node ~]# service iptables save

注：DROP：丢弃返回超时连接，REJECT：明示拒绝，ACCEPT：接受