I suppose you have enabled nf_conntrack and nf_nat_ftp as a module. It is supposed to keep tracking of connections so when you open an outgoing connection the reply is accepted. Check that packets are not dropped on the firewall by enabling logging. Try to use L7 protocol matching instead of plain ports. Use both ports 20 and 21 for ftp.