Basically we’ll set up another chain for it to be forwarded to, filter the packets to move them to the chain, then a logging command created to log if packets end up in that chain.
Enabling logging
We’ll need to know where to put the filter for the redirection:
$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
[snip]
10 DROP all -- anywhere anywhere
In this example, use line 9 on the second command.
Create the rules:
$ sudo iptables --new-chain LOGGING
$ sudo iptables -I INPUT 9 -j LOGGING
$ sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$ sudo iptables -A LOGGING -j DROP
Basically create the new chain, then redirect packets. Add a rule to the logging chain, then drop the packets to be sure.
Reverting/Disabling the changes
To undo it, check the line of the redirect (because you may have made changes):
$ sudo iptables -L --line-numbers | egrep "(Chain|LOGG)"
Chain INPUT (policy ACCEPT)
9 LOGGING all -- anywhere anywhere
Remove the rule:
$ sudo iptables -D INPUT 9
Delete any rules on the LOGGING chain:
$ sudo iptables -D LOGGING 2
$ sudo iptables -D LOGGING 1
Delete the chain:
$ sudo iptables --delete-chain LOGGING
Relevant links (where I got the main part of the info from: