FTP not working, only login, ls blocked by firewall even with nf_conntrack_ftp

[mmenaz]

pve-manager/3.4-1/3f2d890e (running kernel: 3.10.0-5-pve), default OUT policy to REJECT, an external ftp server I need to access to save backups there.
I've added nf_conntrack_ftp in /etc/modules, and added a rule with FTP macro to let out traffic go for that protocol (and destinaion IP) and rebooted. An lsmod shows nf_conntrack_ftp be present.

# ftp -p -n <FTP_SERVER_IP>
[...]
ftp> ls
227 Entering Passive Mode
ftp: connect: Connection refused
ftp>

and in the firewall log

0 6 PVEFW-HOST-OUT  01/Jan/1970:01:00:00 +0100 policy REJECT: OUT=vmbr0  SRC=<MY_SRC_IP> DST=<FTP_SERVER_IP> [...] DF PROTO=TCP  SPT=38434 DPT=28679

otherwise if I add at the top a "pass all" our rule, everything works

ftp> ls
227 Entering Passive Mode
150 Accepted data connection
drwxr-xr-x    2 1001       ftp              4096 Feb  6 15:55 dump
drwxr-xr-x    3 1001       ftp              4096 Feb  6 15:55 template
226 2 matches total

Any tip?

 

[kotakomputer]

How about to put the FTP rule at the top?

 

[mmenaz]

Of course it is!
The generated rules are (from iptables-save and with ftp rule moved from Datasenter to the node):

-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m set --match-set PVEFW-0-ftp_onlinenet-v4 dst -m tcp --dport 21 -j RETURN
-A PVEFW-HOST-OUT -o vmbr90 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 53 -j RETURN
-A PVEFW-HOST-OUT -p tcp -m tcp --dport 53 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 123 -j RETURN
-A PVEFW-HOST-OUT -p icmp -m icmp --icmp-type 8 -j RETURN

Regards