diff --git a/pkg/guestagent/guestagent_linux.go b/pkg/guestagent/guestagent_linux.go
index 9d1c251f857..cbef538dc5d 100644
--- a/pkg/guestagent/guestagent_linux.go
+++ b/pkg/guestagent/guestagent_linux.go
@@ -271,10 +271,11 @@ func (a *agent) LocalPorts(_ context.Context) ([]*api.IPPort, error) {
 	}
 
 	for _, ipt := range ipts {
+		port := int32(ipt.AddrPort.Port())
 		// Make sure the port isn't already listed from procnettcp
 		found := false
 		for _, re := range res {
-			if re.Port == int32(ipt.Port) {
+			if re.Port == port {
 				found = true
 			}
 		}
@@ -282,8 +283,8 @@ func (a *agent) LocalPorts(_ context.Context) ([]*api.IPPort, error) {
 			if ipt.TCP {
 				res = append(res,
 					&api.IPPort{
-						Ip:       ipt.IP.String(),
-						Port:     int32(ipt.Port), // The port value is already ensured to be within int32 bounds in iptables.go
+						Ip:       ipt.AddrPort.Addr().String(),
+						Port:     port,
 						Protocol: "tcp",
 					})
 			}
diff --git a/pkg/guestagent/iptables/iptables.go b/pkg/guestagent/iptables/iptables.go
index 99be0a035ab..ec7125b8531 100644
--- a/pkg/guestagent/iptables/iptables.go
+++ b/pkg/guestagent/iptables/iptables.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"errors"
 	"net"
+	"net/netip"
 	"os/exec"
 	"regexp"
 	"strconv"
@@ -15,9 +16,8 @@ import (
 )
 
 type Entry struct {
-	TCP  bool
-	IP   net.IP
-	Port int
+	TCP      bool
+	AddrPort netip.AddrPort
 }
 
 // This regex can detect a line in the iptables added by portmap to do the
@@ -72,23 +72,25 @@ func parsePortsFromRules(rules []string) ([]Entry, error) {
 		if len(found) != 4 {
 			continue
 		}
-		port64, err := strconv.ParseInt(found[3], 10, 32)
+		port16, err := strconv.ParseUint(found[3], 10, 16)
 		if err != nil {
 			return nil, err
 		}
-		port := int(port64)
+		port := uint16(port16)
 
 		isTCP := found[2] == "tcp"
 
 		// When no IP is present the rule applies to all interfaces.
-		ip := found[1]
-		if ip == "" {
-			ip = "0.0.0.0"
+		addr := netip.IPv4Unspecified()
+		if s := found[1]; s != "" {
+			addr, err = netip.ParseAddr(s)
+			if err != nil {
+				return nil, err
+			}
 		}
 		ent := Entry{
-			IP:   net.ParseIP(ip),
-			Port: port,
-			TCP:  isTCP,
+			AddrPort: netip.AddrPortFrom(addr, port),
+			TCP:      isTCP,
 		}
 		entries = append(entries, ent)
 	}
@@ -128,7 +130,7 @@ func checkPortsOpen(pts []Entry) ([]Entry, error) {
 	var entries []Entry
 	for _, pt := range pts {
 		if pt.TCP {
-			conn, err := net.DialTimeout("tcp", net.JoinHostPort(pt.IP.String(), strconv.Itoa(pt.Port)), time.Second)
+			conn, err := net.DialTimeout("tcp", pt.AddrPort.String(), time.Second)
 			if err == nil && conn != nil {
 				conn.Close()
 				entries = append(entries, pt)
diff --git a/pkg/guestagent/iptables/iptables_test.go b/pkg/guestagent/iptables/iptables_test.go
index 2830591fc5e..a5e89680d85 100644
--- a/pkg/guestagent/iptables/iptables_test.go
+++ b/pkg/guestagent/iptables/iptables_test.go
@@ -4,6 +4,7 @@
 package iptables
 
 import (
+	"net/netip"
 	"strings"
 	"testing"
 
@@ -84,10 +85,6 @@ func TestParsePortsFromRules(t *testing.T) {
 	l := len(res)
 	assert.Equal(t, l, 2, "unexpected number of ports parsed from iptables")
 
-	if res[0].IP.String() != "0.0.0.0" || res[0].Port != 8082 || res[0].TCP != true {
-		t.Errorf("expected port 8082 on IP 0.0.0.0 with TCP true but got port %d on IP %s with TCP %t", res[0].Port, res[0].IP.String(), res[0].TCP)
-	}
-	if res[1].IP.String() != "127.0.0.1" || res[1].Port != 8081 || res[1].TCP != true {
-		t.Errorf("expected port 8081 on IP 127.0.0.1 with TCP true but go port %d on IP %s with TCP %t", res[1].Port, res[1].IP.String(), res[1].TCP)
-	}
+	assert.Equal(t, res[0], Entry{AddrPort: netip.MustParseAddrPort("0.0.0.0:8082"), TCP: true})
+	assert.Equal(t, res[1], Entry{AddrPort: netip.MustParseAddrPort("127.0.0.1:8081"), TCP: true})
 }