Ok, depois de muita dor eu finalmente consegui trabalhar, aqui está a configuração final, espero que ajude alguém.
iptables
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [63:18352]
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 85.25.146.0/24 -j DROP
-A INPUT -j DROP
syslog.confg
destination d_iptables { file("/var/log/iptables.log"); };
filter f_iptables { match("iptables denied" value("MESSAGE")); };
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail) and not filter(f_iptables); };
# not facility(auth,authpriv,cron,daemon,mail,news) and not filter(f_iptables); };
filter f_kern { facility(kern) and not filter(f_iptables); };
log { source(s_src); filter(f_iptables); destination(d_iptables); };