Its beyond what gets parsed for FTP traffic in your filter table.
Since you want a permanent block I'd move it up in the table
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 22.214.171.124/16 -j NOTRACK
-A PREROUTING -s 126.96.36.199/16 -j DROP
:FORWARD DROP [0:0]
Also note it's a /16 or a /17 and the range does not
represent .cn: it's part of the infamous AS4134 which itself comprises of over 900+ prefixes
. (BTW wrt Netfilter vs tcp_wrappers also see this
.) If you're going to drop many prefixes then I suggest you use ipset
instead: it's more secure than tcp_wrappers, easier to manage and doesn't influence parsing iptables rules like having 900 or over would.