How to write nftables rules for prohibiting to scan ports

Hi there,

I'm a new to nftables utility, could someone help me how can I write nftables rules based on the following iptables rulles:

iptables -I INPUT 2 -p tcp —tcp-flags ALL NONE -j DROP
iptables -I INPUT 3 -p tcp —tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -I INPUT 4 -p tcp —tcp-flags SYN,RST SYN,RST -j DROP
iptables -I INPUT 5 -p tcp —tcp-flags FIN,RST FIN,RST -j DROP
iptables -I INPUT 6 -p tcp —tcp-flags ACK,FIN FIN -j DROP
iptables -I INPUT 7 -p tcp —tcp-flags ACK,PSH PSH -j DROP
iptables -I INPUT 8 -p tcp —tcp-flags ACK,URG URG -j DROP
iptables -I INPUT 9 -p tcp -m tcp —tcp-flags FIN,ACK FIN -j DROP
iptables -I INPUT 10 -p tcp -m tcp —tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -I INPUT 11 -p tcp -m tcp —tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -I INPUT 12 -m psd -j DROP

what kind of nftables pakages should I've to install to support it? And what kind of changes and where in openwrt I should do to complete an issue properly? Please

Thanks in advance.

This seems an overly complicated way of achieving the same thing as just setting the input rule for the WAN zone to 'drop'.

What exactly are you trying to achieve with all those rules?


If you want to/need to have wan open but still drop (most) of these packets, a simple invalid does the same.
I would recommend the add a counter and see how much of these tragic do you actually will get. My experience is, it rather rare these days.

Just a remark, the default action in the FW for external traffic from internet, is REJECT, you can change it to DROP.
And you can't really "prohibit" port scans, you can only modify your routers action, when they happen.

1 Like

And if you get a lot of traffic then insert a rate limit rule i.e with a source address check at the beginning.

My first suggestions are this:

Screenshot_20230710-074241_Firefox Focus

Other remarks:

  • as @frollic noted, changing the WAN Zone Input to DROP would solve a need for these rules
  • you should reduce your rules to UCI firewall syntax in the future, so you don't have to translate them into underlying iptables/nft commands
  • All your TCP rules could be made into one: "drop new inbound TCP that != SYN" - just FYI (I previously used such a rule on OpenWrt versions based on iptabled

These kinds of bogus, martian and Christmas tree packets are rare. Most in my experiences today are port scans for real services and related reflected traffic desiged to amplify to other DSTs.

1 Like

So, there are a bunch of goals what I'm pursuing. Such as, to be learned work with the rules, understanding and sharping skills in a syntax, and of course to protect myself.


tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn) == fin|syn counter drop
tcp flags & (syn|rst) == syn|rst counter drop
tcp flags & (fin|rst) == fin|rst counter drop
tcp flags & (fin|ack) == fin counter drop
tcp flags & (ack|urg) == urg counter drop
tcp flags & (fin|ack) == fin counter drop
tcp flags & (psh|ack) == psh counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop

As for rule 12, I have not translated it yet.