Iptables conntrack hashlimit-srcmask 未按预期工作

我正在尝试阻止具有 /24 IPV4 子网的端口扫描器，它们在这些子网之间缓慢轮换以试图避免被发现。

我的 iptable 规则是

-A RATE-LIMIT --match hashlimit --hashlimit-upto 2/hour --hashlimit-burst 2 --hash-limit-srcmask 24 --hashlimit-name conn_rate_limit --jump RETURN
-A RATE-LIMIT --jump LOG --log-prefix "Limit Reject: "
-A RATE-LIMIT --jump DROP

当我尝试自己进行端口扫描时，它可以被正确检测到，但是以下流量却没有（每次尝试间隔 5 秒）：

SRC=212.133.164.xxx PROTO=TCP DPT=2347
SRC=212.133.164.xxx PROTO=TCP DPT=61715
SRC=212.133.164.xxx PROTO=TCP DPT=8701
SRC=212.133.164.xxx PROTO=TCP DPT=49290
SRC=212.133.164.xxx PROTO=TCP DPT=2346
SRC=212.133.164.xxx PROTO=TCP DPT=2869
SRC=212.133.164.xxx PROTO=TCP DPT=47074
SRC=212.133.164.xxx PROTO=TCP DPT=65001
SRC=212.133.164.xxx PROTO=TCP DPT=61832
SRC=212.133.164.xxx PROTO=TCP DPT=50430
SRC=212.133.164.xxx PROTO=TCP DPT=50075
SRC=212.133.164.xxx PROTO=TCP DPT=2061
SRC=212.133.164.xxx PROTO=TCP DPT=50814
SRC=212.133.164.xxx PROTO=TCP DPT=58330
SRC=212.133.164.xxx PROTO=TCP DPT=56761
SRC=212.133.164.xxx PROTO=TCP DPT=56817
SRC=212.133.164.xxx PROTO=TCP DPT=49706
SRC=212.133.164.xxx PROTO=TCP DPT=3375
SRC=212.133.164.xxx PROTO=TCP DPT=59662
SRC=212.133.164.xxx PROTO=TCP DPT=49681
SRC=212.133.164.xxx PROTO=TCP DPT=64893
SRC=212.133.164.xxx PROTO=TCP DPT=42781

我对 hashlimit-srcmask 的理解是：

When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.

使用“24”作为掩码应该在达到限制后阻止来自 212.133.164.0/24 的所有流量，但不会发生匹配。