#!/system/bin/sh

# ----------------------------------IPv4----------------------------------

# __________________[prevent_DoubleDirect_vulnerability]__________________
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
    # disable all IPv4 ICMP redirect messages
    sysctl -w net.ipv4.conf.all.accept_redirects=0
fi
if [ -e /proc/sys/net/ipv4/conf/default/accept_redirects ]; then
    # disable all IPv4 ICMP redirect messages on all new interfaces
    sysctl -w net.ipv4.conf.default.accept_redirects=0
fi #______________________________________________________________________

# ______________________[prevent_SYN_flood_attacks]_______________________
#  *  Recommended option for single homed hosts and stub network routers. 
#  *  [Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes]
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
    # do source validation by reversed path (RFC1812) on all interfaces
    sysctl -w net.ipv4.conf.all.rp_filter=1
fi
if [ -e /proc/sys/net/ipv4/conf/default/rp_filter ]; then
    # do source validation by reversed path (RFC1812) on all new interfaces
    sysctl -w net.ipv4.conf.default.rp_filter=1
fi #______________________________________________________________________

# ____________________[disable_router_functionalities]____________________
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
    # disables acceptance of all IPv4 ICMP redirected packets on all interfaces 
    sysctl -w net.ipv4.conf.all.send_redirects=0
fi
if [ -e /proc/sys/net/ipv4/conf/default/send_redirects ]; then
    # disables acceptance of all IPv4 ICMP redirected packets on all new interfaces
    sysctl -w net.ipv4.conf.default.send_redirects=0
fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then
    # disables acceptance of secure ICMP redirected packets on all interfaces
    sysctl -w net.ipv4.conf.all.secure_redirects=0
fi
if [ -e /proc/sys/net/ipv4/conf/default/secure_redirects ]; then
    # disables acceptance of secure ICMP redirected packets on all new interfaces
    sysctl -w net.ipv4.conf.default.secure_redirects=0
fi
if [ -e /proc/sys/net/ipv4/conf/default/accept_source_route ]; then
    # disable source routing on all new interfaces; drop packets with SRR option
    sysctl -w net.ipv4.conf.default.accept_source_route=0
fi #______________________________________________________________________

# ____________________________[miscellaneous]_____________________________
if [ -e /proc/sys/net/ipv4/tcp_no_metrics_save ]; then
    # By default, TCP saves various connection metrics in the route cache when the connection closes, 
    # so that connections established in the near future can use these to set initial conditions. 
    # Usually, this increases overall performance, but may sometimes cause performance degradation. 
    # If set to 1, TCP will not cache metrics on closing connections
    sysctl -w net.ipv4.tcp_no_metrics_save=1
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
    # If set non-zero, then the kernel will ignore all ICMP ECHO requests sent to it
    # [AFAIK Android does not reply on ping requests, even this point is set to 0]
    sysctl -w net.ipv4.icmp_echo_ignore_all=1
fi #______________________________________________________________________

# ----------------------------------IPv6----------------------------------

# __________________[prevent_DoubleDirect_vulnerability]__________________
if [ -e /proc/sys/net/ipv6/conf/all/accept_redirects ]; then
    # disable all IPv6 ICMP redirected packets
    sysctl -w net.ipv6.conf.all.accept_redirects=0
fi
if [ -e /proc/sys/net/ipv6/conf/default/accept_redirects ]; then
    # disable all IPv6 ICMP redirect messages on all new interfaces
    sysctl -w net.ipv6.conf.default.accept_redirects=0
fi #______________________________________________________________________

# ____[enable_IPv6_privacy_extensions_on_all_new_interfaces_(RFC3041)]____
#  *  <= 0 = disable Privacy Extensions
#  *  == 1 = enable Privacy Extensions, but prefer public addresses over temporary addresses
#  *  >  1 = enable Privacy Extensions and prefer temporary addresses over public addresses
if [ -e /proc/sys/net/ipv6/conf/all/use_tempaddr ]; then
    # enable Privacy Extensions and prefer temporary addresses over public addresses
    sysctl -w net.ipv6.conf.all.use_tempaddr=2
fi
if [ -e /proc/sys/net/ipv6/conf/default/use_tempaddr ]; then
    # enable Privacy Extensions and prefer temporary addresses over public addresses
    sysctl -w net.ipv6.conf.default.use_tempaddr=2
fi #______________________________________________________________________
