Don't do it like that. People tie themselves in all sorts of knots trying to customise iptables
exclusions, but it's not the right way to handle the problem.
Instead, use the first-dispositive-match-wins logic of iptables
to work for you. List the exceptions first:
iptables -A INPUT -s 192.168.1.1 -p tcp [...] -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -p tcp [...] -j ACCEPT
iptables -A INPUT -s 192.168.3.3 -p tcp [...] -j ACCEPT
and then the rule:
iptables -A INPUT -p tcp --syn -m connlimit [...] -j DROP
If you don't want to blindly ACCEPT
packets from those privileged source IPs, but merely exempt them from further rate-limiting controls, you can move the rate-limiting logic off to a chain on its own, and RETURN
to the main INPUT
chain (for further processing) packets from sources that you want to exempt from the rate-limiting control:
iptables -N ratelimiter
iptables -A ratelimiter -s 192.168.1.1 -j RETURN
iptables -A ratelimiter -s 192.168.2.2 -j RETURN
iptables -A ratelimiter -s 192.168.3.3 -j RETURN
iptables -A ratelimiter --syn -m connlimit [...] -j DROP
#
iptables -A INPUT -p tcp [...] -j ratelimiter
iptables -A INPUT [ further business-appropriate checks ]