Redhat/Centos 7 的 Firewalld 有什么好的防 namp 扫描的办法吗？

nginx 日志里经常出现

202.61.87.159 - - [22/Mar/2019:01:56:10 +0800] "GET /nmaplowercheck1553190762 HTTP/1.1" 400 5 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 202.61.87.159 - - [22/Mar/2019:01:56:10 +0800] "GET / HTTP/1.0" 400 0 "-" "-" 202.61.87.159 - - [22/Mar/2019:01:56:10 +0800] "POST /sdk HTTP/1.1" 400 5 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 202.61.87.159 - - [22/Mar/2019:01:56:10 +0800] "GET /HNAP1 HTTP/1.1" 400 5 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 202.61.87.159 - - [22/Mar/2019:01:56:10 +0800] "GET / HTTP/1.1" 400 5 "-" "-" 123.249.13.251 - - [22/Mar/2019:01:56:12 +0800] "GET / HTTP/2.0" 400 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0" 202.61.87.159 - - [22/Mar/2019:02:35:01 +0800] "GET / HTTP/1.0" 400 0 "-" "-" 202.61.87.159 - - [22/Mar/2019:02:35:01 +0800] "GET /nmaplowercheck1553193092 HTTP/1.1" 400 5 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 202.61.87.159 - - [22/Mar/2019:02:35:01 +0800] "POST /sdk HTTP/1.1" 400 5 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 202.61.87.159 - - [22/Mar/2019:02:35:01 +0800] "GET /HNAP1 HTTP/1.1" 400 5 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" 202.61.87.159 - - [22/Mar/2019:02:35:01 +0800] "GET / HTTP/1.1" 200 42248 "-" "-" 

目前是临时用 fail2ban，发现 nginx 日志中有 HTTP/1.*的请求就直接封禁 86400s （正常日志一般是 HTTP/2.0 ）

另外搜到的解决办法是 iptables 的规则，而且博文都挺老的，2014 年左右的...
centos7 也换用 firewalld 了

设想是如果 nmap 还是用的这些协议进行扫描，是不是把 iptables 的规则换成 firewalld 就可以了？

#附搜到的 iptables 规则 iptables -F ptables -A INPUT -p tcp tcp-flags ALL FIN,URG,PSH -j Drop ptables -A INPUT -p tcp tcp-flags SYN,RST SYN,RST -j Drop ptables -A INPUT -p tcp tcp-flags SYN,FIN SYN,FIN -j Drop ptables -A INPUT -p tcp tcp-flags SyN SYN dport 80 -j Drop