FTP nightmare

Hi,

I hope somebody here can help me cause it's driving me nuts.
I have one computer connected to the internet via eth0, and eth1 is
forwarding all the traffic to the rest of the network.
The computer that's directly connected to the internet (getafix) is able
to ftp just fine. All the others are not however. I can start a connection
from the machines behind the firewall but when I try to put or to get
anything it puts/gets the first 16K and stalls; no movement whatsoever.
Does somebody know what this could be?
Please find below the firewall script that I'm using and the result from
lsmod. Please let me know if more information is needed.

Thanks in advance,
Rudi.


lsmod:

[root@getafix install]# lsmod
Module Size Used by
parport_pc 29189 1
lp 13129 0
parport 40969 2 parport_pc,lp
autofs4 29637 2
rfcomm 42589 0
l2cap 30917 5 rfcomm
bluetooth 56517 4 rfcomm,l2cap
sunrpc 168453 1
video 16069 0
button 4161 0
battery 9541 0
ac 4933 0
ipt_TCPMSS 4289 0
ipt_limit 3521 0
ip_nat_irc 2881 0
ip_nat_ftp 3521 0
iptable_mangle 3009 0
ipt_LOG 7873 1
ipt_MASQUERADE 3393 1
iptable_nat 22165 4 ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE
nvidia 3716356 12
ipt_TOS 2625 0
ipt_REJECT 5825 0
ip_conntrack_irc 72657 1 ip_nat_irc
ip_conntrack_ftp 73425 1 ip_nat_ftp
ipt_state 1985 1
ip_conntrack 42009 7 ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE,iptable_nat,i p_conntrack_irc,ip_conntrack_ftp,ipt_state
iptable_filter 3137 1
ip_tables 19521 10 ipt_TCPMSS,ipt_limit,iptable_mangle,ipt_LOG,ipt_MA SQUERADE,iptable_nat,ipt_TOS,ipt_REJECT,ipt_state, iptable_filter
md5 4161 1
ipv6 268737 10
ohci1394 41609 0
ieee1394 305081 1 ohci1394
ohci_hcd 26977 0
ehci_hcd 41165 0
i2c_nforce2 7105 0
i2c_core 21825 1 i2c_nforce2
shpchp 94661 0
snd_usb_audio 68609 0
snd_usb_lib 15937 1 snd_usb_audio
snd_rawmidi 30561 1 snd_usb_lib
snd_intel8x0 34945 3
snd_ac97_codec 76217 1 snd_intel8x0
snd_seq_dummy 3781 0
snd_seq_oss 37569 0
snd_seq_midi_event 9409 1 snd_seq_oss
snd_seq 62801 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device 9037 4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss 51569 0
snd_mixer_oss 18113 1 snd_pcm_oss
snd_pcm 100553 5 snd_usb_audio,snd_intel8x0,snd_ac97_codec,snd_pcm_ oss
snd_timer 33733 3 snd_seq,snd_pcm
snd 57669 15 snd_usb_audio,snd_rawmidi,snd_intel8x0,snd_ac97_co dec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss ,snd_mixer_oss,snd_pcm,snd_timer
soundcore 11169 1 snd
snd_page_alloc 9925 2 snd_intel8x0,snd_pcm
forcedeth 24129 0
3c59x 44905 0
mii 5569 1 3c59x
floppy 65397 0
dm_snapshot 17413 0
dm_zero 2113 0
dm_mirror 26157 0
ext3 132681 3
jbd 86233 1 ext3
dm_mod 58101 6 dm_snapshot,dm_zero,dm_mirror
sata_nv 9541 0
libata 47301 1 sata_nv
sd_mod 20545 0
scsi_mod 147977 2 libata,sd_mod


firewallscript:

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.63
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


# The location of the 'iptables' program
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# EXTIF="ppp0"
#
# if you are a modem user.
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"


#================================================= =====================
#== No editing beyond this line is required for initial MASQ testing ==


echo -en " loading modules: "

# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ================================================== =============

#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
/sbin/modprobe ip_tables


#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
/sbin/modprobe ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
/sbin/modprobe ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
/sbin/modprobe ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
/sbin/modprobe iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
/sbin/modprobe ip_nat_ftp


# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.

echo ". Done loading modules."



#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#


#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"