> > 2) Does a "-j LOG" return to the chain it was called from, or does it do > > an implicit DROP? > > > > It returns to spot where it was called from. > > Yep, so you could create a new chain to drop and log; /sbin/iptables -N logdrop /sbin/iptables -A logdrop -j LOG --log-prefix 'DROP ' /sbin/iptables -A logdrop -j DROP
Then call that one /sbin/iptables -A tcp_packets -p TCP --dport 80 -j ACCEPT /sbin/iptables -A tcp_packets -p TCP -j logdrop
