So go to dir :
/etc/e-smith/templates/etc/rc.d/init.d/masq
It's where are all masq templates.
There 2 templates interest us :
First one : 40AllowIcmp, icmpIn chain must be created.
This is e-smith-packetfilter-1.13.0-04.noarch.rpm code :
/sbin/iptables --new-chain icmpIn
/sbin/iptables --append INPUT --protocol icmp --jump icmpIn
{
use esmith::NetworksDB;
# We want to be very selective on the ICMPs we accept to stop
# route hijacking
my @OKicmpTypes = (
qw(
echo-request
echo-reply
destination-unreachable
source-quench
time-exceeded
parameter-problem
) );
my $stealth = $masq{Stealth} || 'no';
if ($stealth eq 'yes')
{
$OUT .= <<HERE
/sbin/iptables --append icmpIn --proto icmp --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
}
foreach my $icmpType (@OKicmpTypes)
{
$OUT .= <<HERE;
/sbin/iptables --append icmpIn --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
}
}
Second one : 40AllowICMPOut icmpOut chain must be created. This is e-smith-packetfilter-1.13.0-04.noarch.rpm code :
/sbin/iptables --new-chain icmpOut
/sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
{
# We want to be very selective on the ICMPs we accept to stop
# route hijacking
foreach my $icmpType (
qw( echo-request
echo-reply
destination-unreachable
source-quench
time-exceeded
parameter-problem
) )
{
$OUT .= <<HERE;
/sbin/iptables --append icmpOut --proto icmp --icmp-type $icmpType --jump ACCEPT
HERE
}
}
Must import is 2 chains (icmpIn and icmpOut) must be created, if they are not, tell me their new name (if they have a new one of course).
And there must be no problem for antispoofing, because it's a new template.