Yes. I don't remember the exact detail, but go look for a 'question' (actually, a Community Wiki) from me with the title "iptables Tips & Tricks". There, you can find an iptables rule specifically designed to stump nmap.
In addition, I deploy a TARPIT
target in the INPUT
chain. TARPIT basically 'traps' anyone trying to open a TCP connection by allowing the TCP three-way handshake, but afterwards locking the TCP Window Size to 0 and dropping all states regarding that connection in the firewall. The host that has tried to open a port is now trapped: connection is made, but it can't send anything, and since it never receives a FIN or a RST, it is stuck in TCP-Established state until TCP timeout*. Meanwhile, the firewall just chugs along merrily, since it has dropped all states of that connection, so no resource is being used.
A combination of both successfully stumped all kinds of portscanners. They die when they touch my firewall :)
* TCP timeout is a lot longer than TCP SYN timeout. About three orders of magnitude longer, IIRC. Thus, portscanners will run extremely slowly as its threads get stuck waiting for TCP timeout.