IP в блеклисте, но тем не менее отразился в логах. Как?

iptables -L -n -v
Chain INPUT (policy DROP 6434 packets, 1005K bytes)
pkts bytes target prot opt in out source destination
20 1200 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set AS54290 src
256 12854 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set south_africa src
187 9524 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set saudiarabia src
204 11012 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set sprint src
5611 264K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set microsoft src
11 528 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set afghanistan src
168 6820 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set seychelles src
14602 818K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ukraine src
1383 74766 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set israel src
3514 181K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set indonesia src
333 18128 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set locaweb src
471 23573 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set africa src
42 2312 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set countryblock-angola src
880 44061 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set countryblock-hk src
1142 65621 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set countryblock-jp src
15205 820K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set countryblock-cn src
67384 3878K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set spammers src
11M 996M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1147,8080,444,443,80,25,110
2510K 386M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
319K 216M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8891,10025
11M 60G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4733 283K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11211
25 1284 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4178
2772 111K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:12000:15000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:12000:15000
2676 160K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10023
375 21632 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10023
59209 4392K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
165K 9876K ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0
108 4828 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0
13 520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10026
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10026
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:145
408 23984 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10025
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8891
3836 230K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4949
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4949

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127K 9296K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
10 463 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
10M 61G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 25,110,143,80,8080,443,444,53,10023,10025,8891
11M 29G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
374K 22M ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1
77 3557 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
1107 66220 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:4949
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:4949
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 10026,8891,10025,53,12000:15000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8080
958 57400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
29771 1786K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
3783 227K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4949
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4949

iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 805K packets, 70M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 237K packets, 14M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 542K packets, 34M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 535K packets, 33M bytes)
pkts bytes target prot opt in out source destination

Оптимизайка:
Такое может быть, например, если соединение с этого ip уже было открыто, а вы добавили его позже,

Received: from 197-99-159-21.ip.broadband.is (197-99-159-21.ip.broadband.is [197.99.159.21])

blacklist -i 197.96.0.0/13 -a list
This IP has been already blocked. No need to block again. Try to unblock instead

ip route | grep 197.96.0.0/13
blackhole 197.96.0.0/13

Mobiaaa:
IP мог забаниться, а соединение уже установлено

Mar 28 14:45:05 vmd30300 dovecot: lda(crontab@kreine.com): msgid=<20190328134505.3D5BED0B3B3@mail.mir-otelej.ru>: saved mail to INBOX
Mar 28 14:45:05 vmd30300 postfix/pipe[20538]: 61D02D0A35C: to=<crontab@kreine.com>, relay=dovecot, delay=0.2, delays=0.14/0.02/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 28 14:45:05 vmd30300 postfix/qmgr[4181]: 61D02D0A35C: removed
Mar 28 14:51:52 vmd30300 postfix/smtpd[21222]: connect from mail03.info.pentontech.com[142.0.174.41]
Mar 28 14:51:52 vmd30300 postfix/smtpd[21223]: connect from mail01.info.pentontech.com[142.0.174.39]