I have currently this IPTABLES command:
iptables -A INPUT -s ! 192.168.0.2 -p tcp --syn -m connlimit [...] -j DROP
As far as I know, such rule limit some number of connections following various parameters, except for 192.168.0.2 which is free to open unlimited number of TCP connexions.
My concern is about excluding more /32 IPs (with no specific range pattern) like:
iptables -A INPUT -s ! IP1 IP2 ... IPN -p tcp --syn -m connlimit [...] -j DROP
How is it possible with iptables ?
Don't do it like that. People tie themselves in all sorts of knots trying to customise iptables exclusions, but it's not the right way to handle the problem.
Instead, use the first-dispositive-match-wins logic of iptables to work for you. List the exceptions first:
iptables -A INPUT -s 192.168.1.1 -p tcp [...] -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -p tcp [...] -j ACCEPT
iptables -A INPUT -s 192.168.3.3 -p tcp [...] -j ACCEPT
and then the rule:
iptables -A INPUT -p tcp --syn -m connlimit [...] -j DROP
If you don't want to blindly ACCEPT packets from those privileged source IPs, but merely exempt them from further rate-limiting controls, you can move the rate-limiting logic off to a chain on its own, and RETURN to the main INPUT chain (for further processing) packets from sources that you want to exempt from the rate-limiting control:
iptables -N ratelimiter
iptables -A ratelimiter -s 192.168.1.1 -j RETURN
iptables -A ratelimiter -s 192.168.2.2 -j RETURN
iptables -A ratelimiter -s 192.168.3.3 -j RETURN
iptables -A ratelimiter --syn -m connlimit [...] -j DROP
#
iptables -A INPUT -p tcp [...] -j ratelimiter
iptables -A INPUT [ further business-appropriate checks ]
