echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
you have to add specific rules to the
raw table to attach those helpers. So for your example I think you need to add something like this:
iptables -t raw -A PREROUTING -d $public_ip -p tcp --dport 21 -j CT --helper ftp
That should also take care of making sure the helper modules are loaded without the explicit
Recent kernels no longer automatically attach connection tracking helpers based on compiled in port numbers.