A few weeks back I submitted a patch to document the invert option
of multiport, without noticing that it doesn't actually support invert.
I've looked at it, and it is a compatibility nightmare to try to add
support for it while still supporting old kernel/userspace.

So, here's a patch to throw an error on this:

    iptables -A FORWARD -m multiport -p tcp ! --dport 1,2,3 -j DROP

instead of silently accepting it and potentially causing issues.

Phil