I want to log all INPUT packets that do not originate in the LAN for audit purposes, I have a script with tcpdump basically appending to a file the result from this:
tcpdump "(dst net 192.168.0.0/24 and ! src net 192.168.0.0/24)"
however, I've seen some outside attempts in /var/log/syslog
[567325.985994] iptables INPUT denied: IN=eth1 OUT= MAC=..... SRC=69.163.149.200 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=50281 DF PROTO=TCP SPT=51380 DPT=1194 WINDOW=5840 RES=0x00 SYN URGP=0
[567895.076532] iptables INPUT denied: IN=eth1 OUT= MAC=.... SRC=72.21.91.19 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=TCP SPT=80 DPT=52589 WINDOW=0 RES=0x00 RST URGP=0
which don't show up in tcpdump outout. I want to add a rule like
-A INPUT -j LOG
but I would like (if it makes sense) to avoid putting in the log input packets from the LAN
is it enough to put this?
-A INPUT ! -s 192.168.0.0/24 -j LOG
BTW, as an a side question, does iptables support logging different things to different files?
iptables always logs to syslog's kernel facility, you can separate your syslog facilities into different files - see the syslog.conf documentation for details.
Your rule
would log packets which do not have the source IP 192.168.0.0/24, but the iptables logging only covers some of the packet header data, not the packet's payload.
tcpdump is the tool that would capture payload. You should either specify the interface you expect the traffic to come in at explicitly (-i eth1) or use any interface (-i any). You might also want to increase the snaplen (-s parameter) and write the capture to a file in binary format (-W parameter).
But due to the fact that tcpdump is not a security tool but a diagnosis tool with a difficult security history and probably runs with root priveleges in your config (although there are ways to run it non-root), you should consider a different solution written with security in mind - IDS systems might be suitable.