Problem logging after iptables drop all

I’m looking for help logging dropped IPs (Non US). If I place the log request before the -P INPUT DROP all IPs get logged. I want to log dropped IPs other than US Amazon IPs. Can someone please advise.

-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
-A INPUT -j LOG --log-level 4 --log-prefix 'InDrop ’
-P INPUT DROP
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -s 172.16.1.30/24 -j ACCEPT
.
. Accepting US IPs
.
-A INPUT -s 149.11.66.6/31 -j ACCEPT
-A INPUT -s 72.44.32.0/19 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix “Amazonaws IP Drop A:”
-A INPUT -s 67.202.0.0/18 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix “Amazonaws IP Drop A:”
.
. Logging Amazon Cloud
.
-A INPUT -s 54.233.0.0/18 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix “Amazonaws IP Drop A:”
-A INPUT -s 96.127.0.0/18 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix “Amazonaws IP Drop A:”
-A INPUT -s 72.44.32.0/19 -j DROP
-A INPUT -s 67.202.0.0/18 -j DROP
.
. Dropping Amazon Cloud
.
-A INPUT -s 174.129.0.0/16 -j DROP
-A INPUT -s 204.236.192.0/18 -j DROP

Thanks,

Jamie

The location of the -P option shouldn’t matter much if I recall correctly,
because it just declares what the default action is assuming no other rule
matches. You should be able to verify this by comparing
/usr/sbin/iptables-save or ‘/usr/sbin/iptables -nvL’ output between
attempts to configure/setup your firewall settings by moving the iptables
commands around.

Worst case you can add a -A INPUT -j DROP at the very end which
effectively set the policy to drop for anything not already handled with
another stopping target.

Good luck.