diff --git a/src/internal/server/netlink/iptables.go b/src/internal/server/netlink/iptables.go
index fd1be09..7aa9820 100644
--- a/src/internal/server/netlink/iptables.go
+++ b/src/internal/server/netlink/iptables.go
@@ -28,6 +28,7 @@ var RuleDelTCPTS = []string{
 }
 
 var RuleIP = []string{
+	"-p", "tcp",
 	"-j", "NFQUEUE",
 	"--queue-num", strconv.Itoa(netfilter.HELPER_QUEUE),
 	"--queue-bypass",
diff --git a/src/internal/server/netlink/nftables.go b/src/internal/server/netlink/nftables.go
index 2d0aa26..efb3aba 100644
--- a/src/internal/server/netlink/nftables.go
+++ b/src/internal/server/netlink/nftables.go
@@ -114,6 +114,7 @@ func (s *Server) NftSetIP(tx *knftables.Transaction, table *knftables.Table) {
 	rule := &knftables.Rule{
 		Chain: chain.Name,
 		Rule: knftables.Concat(
+			"meta l4proto tcp",
 			fmt.Sprintf("counter queue num %d bypass", s.nfqServer.QueueNum),
 		),
 	}