> 2) Does a "-j LOG" return to the chain it was called from, or does it do
> an implicit DROP?
>
It returns to spot where it was called from.
Yep, so you could create a new chain to drop and log; /sbin/iptables -N logdrop /sbin/iptables -A logdrop -j LOG --log-prefix 'DROP ' /sbin/iptables -A logdrop -j DROP
Then call that one /sbin/iptables -A tcp_packets -p TCP --dport 80 -j ACCEPT /sbin/iptables -A tcp_packets -p TCP -j logdrop