The original is already good but was in the wrong hook and to run it via conntrack as it is now in the code is also nonsense without specification on syn because Conntrack new also contains other flags so the command should be like this:
meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
meta l4proto tcp ct state new jump syn_flood comment "!fw4: Rate limit TCP syn packets"
But the problem remains that it is in the wrong hook in the input hook it makes little sense with me in the script it is fixed in the prerouting raw area on the Wan port and there are no problems there. Probably the meta l4proto is not necessary because in my tests it was also set with only tcp flags...
Well that's why conntrack is not recommended in this regard the easiest way is to install the limitation in the raw prerouting area and adjust the values depending on whether it only applies to the wan port or all ports. For the wan port inbound 25/50 is ok (although 70/5 would probably be more precise) but for all ports I would go towards 400. The bigger problem is not so much the Syn packets but the UDP packets anyway, because certain systems with W at the beginning like to start a UDP flood, for example if no Ipv6 is available.
//edit/ If there are many small packets, they could also come from a system service, some services use the lo device for communication between the components, such as Clamav.