So what happens when you hit a machine that has a port closed? Well: this happens (telnet 127.0.0.30 443):
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes 20:42:07.706751 IP 127.0.0.1.34056 > 127.0.0.30.443: Flags [S], seq 2590507944, win 43690, options [mss 65495,sackOK,TS val 3717641 ecr 0,nop,wscale 7], length 0
20:42:07.706778 IP 127.0.0.30.443 > 127.0.0.1.34056: Flags [R.], seq 0, ack 2590507945, win 0, length 0
In response to my TCP SYN packet on loopback ip 127.0.0.30:443, which does not have a service running, you see the kernel respond with a TCP RST.
Abhay: You're talking about a router. Is the router being hit here on a closed port, or is some machine behind the router being hit on a closed port?
Only option I see, which really sucks and __I DO_NOT_RECOMMEND_THIS__ because it may also DROP legitimate RST packets when the service actually wants to send it:
iptables -I OUTPUT -p tcp -s 127.0.0.30 --sport 443 --tcp-flags RST RST -j DROP