iptables: Failure when trying to block port access for most IP addresses, except for a few

I am using Debian 8 linux. I'm trying to block input access to a few ports for most IP addresses, except for a small, select list of IP addresses. I am doing the following, but it does not seem to work: % sudo /sbin/iptables -v -A INPUT -p tcp -m set '!' --match-set allow-list src -m multiport --dports 110,143,993,995 -j DROP Whenever there is an access attempt to any of those ports from an IP address that is not in allow-list, that attempt is still succeeding. These are the first few lines of allow-list: % sudo /sbin/ipset list allow-list Name: allow-list Type: hash:net Revision: 6 Header: family inet hashsize 16384 maxelem 262144 Size in memory: 687888 References: 2 Members: 125.8.0.0/13 160.94.0.0/15 104.37.68.0/22 205.233.22.0/23 [ ... more CIDR entries ... ] And this is the current iptables configuration: % sudo /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere ! match-set allow-list src multiport dports pop3,imap2,imaps,pop3s Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination What am I doing incorrectly? Thank you very much in advance.