Articles

Fix iptables multiport Only Valid for TCP and UDP Error (2026)

April 18, 2026 4 min read

The iptables multiport module is failing because it’s being applied to protocols other than TCP and UDP.

Here are the common reasons this error occurs and how to fix them:

1. Using multiport with Non-TCP/UDP Protocols

This is the most frequent cause. The multiport module is designed exclusively for TCP and UDP. If you try to use it with ICMP, or even a custom protocol number, it will error out.

Diagnosis: Examine your iptables rules. Look for lines that use multiport and do not specify -p tcp or -p udp immediately before it.

sudo iptables -L -v -n --line-numbers

Example of a bad rule:

# This rule will fail
-A INPUT -p icmp -m multiport --dports 80,443 -j ACCEPT

Fix: Remove the multiport module from rules that don’t use TCP or UDP. If you need to match specific ports for non-TCP/UDP protocols (which is rare), you’ll have to list them individually.

Example fix for the bad rule above:

# If you intended to allow ICMP on specific ports (unlikely, but for illustration)
# This is generally not how ICMP works, but demonstrates the fix for the syntax error.
# You'd typically allow ICMP based on type/code.
sudo iptables -A INPUT -p icmp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p icmp --dport 443 -j ACCEPT

Why it works: By removing multiport and explicitly defining the port for the protocol, you’re adhering to iptables’s protocol-specific module requirements.

2. Incorrect Module Loading Order

Sometimes, the multiport module might not be loaded or available when iptables tries to use it, especially in minimal environments or after module unloading.

Diagnosis: Check if the xt_multiport kernel module is loaded.

lsmod | grep xt_multiport

If it’s not present, try to load it manually.

Fix: Load the module explicitly.

sudo modprobe xt_multiport

Then, re-apply your iptables rules.

Why it works: This ensures the necessary kernel module for multiport functionality is active and accessible to iptables.

3. Typo in multiport or Port Specification

A simple typo in the module name or the port list can cause this error.

Diagnosis: Carefully review the iptables command or rule file for spelling mistakes. Check for:

  • multiport instead of multiport
  • --dports or --sports instead of --dports or --sports
  • Incorrect port numbers or invalid characters in the port list.

Example of a bad rule:

# Typo in module name
-A INPUT -p tcp -m multi-port --dports 80,443 -j ACCEPT

# Typo in option name
-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT

Fix: Correct the typo in the iptables command.

Example fix for the first bad rule:

sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Why it works: Correcting the syntax ensures iptables can parse and understand the intended rule.

4. Using multiport with IPsec (AH/ESP)

While IPsec protocols (AH and ESP) are IP protocols, they are not TCP or UDP. Therefore, multiport cannot be used with them directly.

Diagnosis: Look for rules that specify -p ah or -p esp and also attempt to use the multiport module.

sudo iptables -L -v -n --line-numbers

Example of a bad rule:

-A OUTPUT -p esp -m multiport --dports 500,4500 -j ACCEPT

Fix: Remove multiport from these rules. If you need to match specific ports for ESP/AH (often used for IKE on UDP 500/4500), you’ll need to list them individually.

Example fix:

sudo iptables -A OUTPUT -p udp -m multiport --dports 500,4500 -j ACCEPT

Note: This assumes you are targeting the UDP ports used by IKE, not ESP/AH directly. If you genuinely need to match ESP/AH on specific IP protocol numbers, multiport is not the tool.

Why it works: This redirects the rule to use the correct protocol (UDP for IKE) or removes the invalid multiport specification, aligning with iptables’s protocol handling.

5. iptables-restore or iptables-save Issues

If you’re loading rules from a file using iptables-restore, and the file contains invalid multiport syntax, this error will appear when the restore process encounters it.

Diagnosis: Manually inspect the file being used by iptables-restore for any of the issues mentioned above.

sudo cat /etc/sysconfig/iptables # Or wherever your rules are saved

Fix: Edit the rules file and correct any syntax errors related to multiport, ensuring it’s only used with -p tcp or -p udp.

Why it works: A clean, syntactically correct rules file allows iptables-restore to apply the rules without encountering invalid module usage.

6. Kernel Version Incompatibility or Bug

In very rare cases, an older or specific kernel version might have a bug or lack support for multiport in certain configurations, leading to this error.

Diagnosis: Check your kernel version.

uname -r

Search online for known iptables or xt_multiport bugs related to your kernel version.

Fix: If a bug is identified, the primary fix is to upgrade your kernel to a newer, stable version.

Why it works: A newer kernel typically includes fixes for known bugs and improved compatibility with networking modules.

After resolving this error, your next potential issue might be a "Bad value of limit" error if you’re also using rate limiting with multiport and have similar protocol mismatches.

Want structured learning?

Take the full Iptables course →