FTP client iptables nf_conntrack_ftp

Symptoms

OS: Cloudlinux 6,7

ftp ftpserver.domain.com
Connected to ftpserver.domain.com (11.22.33.44).
220-----------------------------------------------
220 This is a private system - No anonymous login
Name (ftpserver.domain.com:root): ftpuser
331 User ftpuser OK. Password required
Password:
230 OK. Current directory is /files
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (11.22.33.44,19,73)
ftp: connect: Connection timed out

Firewall blocked OUTPUT rules on unknown ports

# Accept 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

#
-A OUTPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m multiport --dports 80,443,110,143,25,21,10050 -j ACCEPT 
-A OUTPUT -p tcp -j DROP 
-A OUTPUT -p udp -j DROP 

Result: not allowed Data connection to FTP servers in Passive mode

On some server FTP connection working correctly with the same firewall rules.

Reason:

#  enable module nf_conntrack_ftp
modprobe nf_conntrack_ftp

# lsmod | grep ftp  
nf_conntrack_ftp       18638  0 
nf_conntrack          137175  7 nf_conntrack_ftp,nf_conntrack_ipv4,nf_nat_ipv4,xt_state,nf_conntrack_ipv6,nf_nat_ipv6,nf_nat

Links: https://en.wikipedia.org/wiki/Netfilter#Connection_tracking