depending on the amount of packets you are dropping/rejecting i dont know that logging
all would be a good idea.
i have a chain that i create to do the logging before sending to DROP
Code:
iptables -N dropit
iptables -A dropit -m limit --limit 15/minute -j LOG --log-prefix Dropped:
iptables -A dropit -j DROP
then you would call 'dropit' where you would normally call DROP
Code:
iptables -A INPUT -s ip/cidr-to-drop -j dropit
so the 'ip-to-drop' will come in on INPUT, jump to 'dropit' (logged at a rate of 15 per minute) and then jump to DROP
you can change the rate to whatever fits your needs
hope this helps