bfloeagle,
Good question! It's something I've needed to work out myself.
You must have the "log" module of iptables included in your kernel.
An iptable entry would look something like this:
iptables -t nat -A PREROUTING -i eth0 \ -d 1.1.1.1 -j LOG --log-level warning --log-prefix "BAD "
Where " -j LOG " would log any instance that meets the criteria of that rule.
The --log-level and --log-prefix are explained here:
http://netfilter.filewatcher.org/unr...inuxdoc-7.html
Plus, a great section on very specific logs is found here:
http://www.cs.princeton.edu/~jns/security/iptables/
Scroll down (or do a search for log) until you find the appropriate header.
HTH