Ben, thanks for the script! It turns out that some modules were installed but the lack of ip_conntrack_ftp.ko being installed made all the difference! I hadn't realized that iptables could have kernel module dependencies, I learned something new! Dan