[x] I checked the documentation and found no answer
[x] I checked to make sure that this issue has not already been filed
Problem Description
Feature requests:
More network-related stealth features with better IPTables rules
Prevent AdGuard from overriding custom ADGUARD_INPUT/ADGUARD_OUTPUT chain rules when AdGuard is restarted/updated
Disable IPv6 interface assignments entirely
Problems:
Default AdGuard AdBlocker ADGUARD_INPUT and ADGUARD_OUTPUT IPTable chains allow for inbound ICMP, inbound IGMP, outbound ICMP, outbound IGMP packets, and don't drop packets netfilter labels "INVALID"
AdGuard overrides/resets user-set changes to ADGUARD_INPUT and ADGUARD_OUTPUT chains when AdGuard is restarted and/or updated
AdGuard Advanced Settings that prevent IPv6 from working don't actually drop IPv6 interface, which continues to be assigned, even for local networks without IPv6 support (in form of Link-Local Addresses)
Proposed Solution
Include Advanced Settings that enforce rules similar to the ones listed below via simple toggles:
iptables -I ADGUARD_INPUT -p 1 -j DROP
iptables -I ADGUARD_INPUT -p 2 -j DROP
iptables -I ADGUARD_INPUT -m conntrack --ctstate INVALID -j DROP
iptables -I ADGUARD_OUTPUT -p 1 -j DROP
iptables -I ADGUARD_OUTPUT -p 2 -j DROP
iptables -I ADGUARD_OUTPUT -m conntrack --ctstate INVALID -j DROP
Include Advanced Settings that force AdGuard to re-apply user-set AdGuard IPTable chain rules/rule adjustments when AdGuard restarts
This request is based on my findings that AdGuard IPTable chains are not affected by general Android INPUT and OUTPUT policies and general user-set rules, such as "iptables -I INPUT 1 -p 1 -j DROP" that doesn't prevent AdGuard from accepting inbound ICMP. The same applies to other rules I list above.
Prerequisites
Problem Description
Feature requests:
Problems:
Proposed Solution
Include Advanced Settings that enforce rules similar to the ones listed below via simple toggles: iptables -I ADGUARD_INPUT -p 1 -j DROP iptables -I ADGUARD_INPUT -p 2 -j DROP iptables -I ADGUARD_INPUT -m conntrack --ctstate INVALID -j DROP iptables -I ADGUARD_OUTPUT -p 1 -j DROP iptables -I ADGUARD_OUTPUT -p 2 -j DROP iptables -I ADGUARD_OUTPUT -m conntrack --ctstate INVALID -j DROP
Include Advanced Settings that force AdGuard to re-apply user-set AdGuard IPTable chain rules/rule adjustments when AdGuard restarts
Include Advanced Settings that enforce services similar to the ones listed below via simple toggles: echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 echo 1 > /proc/sys/net/ipv6/conf/wlan0/disable_ipv6 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/wlan0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/wlan0/send_redirects echo 0 > /proc/sys/net/ipv4/ip_forward
Additional Information
This request is based on my findings that AdGuard IPTable chains are not affected by general Android INPUT and OUTPUT policies and general user-set rules, such as "iptables -I INPUT 1 -p 1 -j DROP" that doesn't prevent AdGuard from accepting inbound ICMP. The same applies to other rules I list above.