More Network Stealth - ICMP, IGMP, Port Scanning Prevention, IPv6

[EntropySmoke]

Prerequisites

• [x] I am running the latest version
• [x] I checked the documentation and found no answer
• [x] I checked to make sure that this issue has not already been filed

Problem Description

Feature requests:

• More network-related stealth features with better IPTables rules
• Prevent AdGuard from overriding custom ADGUARD_INPUT/ADGUARD_OUTPUT chain rules when AdGuard is restarted/updated
• Disable IPv6 interface assignments entirely

Problems:

• Default AdGuard AdBlocker ADGUARD_INPUT and ADGUARD_OUTPUT IPTable chains allow for inbound ICMP, inbound IGMP, outbound ICMP, outbound IGMP packets, and don't drop packets netfilter labels "INVALID"
• AdGuard overrides/resets user-set changes to ADGUARD_INPUT and ADGUARD_OUTPUT chains when AdGuard is restarted and/or updated
• AdGuard Advanced Settings that prevent IPv6 from working don't actually drop IPv6 interface, which continues to be assigned, even for local networks without IPv6 support (in form of Link-Local Addresses)

Proposed Solution

• Include Advanced Settings that enforce rules similar to the ones listed below via simple toggles: iptables -I ADGUARD_INPUT -p 1 -j DROP iptables -I ADGUARD_INPUT -p 2 -j DROP iptables -I ADGUARD_INPUT -m conntrack --ctstate INVALID -j DROP iptables -I ADGUARD_OUTPUT -p 1 -j DROP iptables -I ADGUARD_OUTPUT -p 2 -j DROP iptables -I ADGUARD_OUTPUT -m conntrack --ctstate INVALID -j DROP

• Include Advanced Settings that force AdGuard to re-apply user-set AdGuard IPTable chain rules/rule adjustments when AdGuard restarts

• Include Advanced Settings that enforce services similar to the ones listed below via simple toggles: echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 echo 1 > /proc/sys/net/ipv6/conf/wlan0/disable_ipv6 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/wlan0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/wlan0/send_redirects echo 0 > /proc/sys/net/ipv4/ip_forward

Additional Information

This request is based on my findings that AdGuard IPTable chains are not affected by general Android INPUT and OUTPUT policies and general user-set rules, such as "iptables -I INPUT 1 -p 1 -j DROP" that doesn't prevent AdGuard from accepting inbound ICMP. The same applies to other rules I list above.

[artemiv4nov]

Let's look at how many users will upvote this feature