workaround for iptables limit multiport rule

The implicit -m tcp, -m udp (and sctp etc.) all accept port range parameters. So your current example could be simplified into simply:

iptables -A INPUT -p tcp -m tcp --dport 1:16 -j DROP # -m tcp is implicitly loaded if omitted anyway

It's the same for -m multiport except a range eats two slots:

multiport

This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports.

So if there are up to 7 ranges (+1 single port), you can do something like:

iptables -A INPUT -p tcp -m multiport --dport 1:5,10:50,6666 -j DROP

If you plan on an arbitrary high number of ports without adding a high number of rules, you can switch to using ipset (which also requires using the ipset tool) and a set match:

ipset create portlist bitmap:port range 0-65535 #or narrower if known in advance
for i in $(seq 1 1000); do ipset add portlist $i; done

EDIT: actually the specific case above (all values in one single range) can also be simplified by using a range syntax in ipset (support might depend on version though) instead of the loop if needed. Won't change the set result:

ipset add portlist 1-1000

Single iptables rule:

iptables -A INPUT -p tcp -m set --match-set portlist dst -j DROP

A bitmap should have O(1) lookup: constant (and what could matter: very fast) time.

ipset can be dynamically changed while in use:

ipset del portlist 22

even from the packet path if really needed.

It offers a lot of other list types (like hash:ip,port), most of them hashed. They can be loaded with hundred of thousand of entries and still keep a fast lookup, and help having simple and generic rules.