    # Find the current InboundICMP_$$ chain, and create a new one.
    IBI=$(get_safe_id InboundICMP filter find)
    new=$(get_safe_id InboundICMP filter new)
    /sbin/iptables --new-chain $new
{
    my $stealth = $masq{Stealth} || 'no';
    if ($stealth eq 'yes')
    {
	$OUT .= <<HERE;
    /sbin/iptables --append \$new --proto icmp \\
	--icmp-type echo-request --in-interface \${OUTERIF:-\$INTERNALIF} --jump denylog
HERE
    }
    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
		qw(
		    echo-request
		    echo-reply
		    destination-unreachable 
		    source-quench
		    time-exceeded
		    parameter-problem
		) );


    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <<HERE;
    /sbin/iptables --append \$new --proto icmp \\
	--icmp-type $icmpType --jump ACCEPT
HERE
    }
    # Having created a new Inbound ICMP chain, activate it and 
    # destroy the old.
}
    /sbin/iptables --append $new --jump denylog
    /sbin/iptables --replace InboundICMP 1 --jump $new
    /sbin/iptables --flush "$IBI"
    /sbin/iptables --delete-chain "$IBI"
