O alvo NFLOG pode ser usado para essa finalidade. Aqui está um exemplo muito básico:
# Drop traffic by default
iptables -P INPUT DROP
# add your whitelists here
# iptables -A INPUT ...
# Pass the packets to NFLOG (just like LOG, but instead of syslog,
# it uses netlink). You can add extra filters such as '-p tcp' as usual
iptables -A INPUT -j NFLOG
# packets that get here will now be dropped per INPUT policy
# Finally you can use tcpdump to capture from this interface (there
# can only be one active user of nflog AFAIK)
tcpdump -i nflog ...
Consulte a página de manual iptables-extensions
para obter uma descrição da meta NFLOG
.