I have about a dozen open ports on my firewall. All other ports are set to Drop.

As I recently setup the firewall, I enabled logging for all dropped connections to see what was hitting the firewall and from what countries.

Now I would like to drop logging for all closed ports. I assume that there is very little point in continuing to log traffic for closed ports? What about DDOS logging or should I reserve that for open ports?

My current rules to log dropped traffic is as follows:

Is there any way to log dropped traffic only on open ports and interfaces used. For example port 22 is blocked on eth0, but is open on tun1. So I don't want to log dropped connections on eth0 for port 22.

An even more important point is best practice to dealing with persistent port scanners. Some companies like Digital Ocean are a huge problem like that. Even if 99.9% of my ports are closed they are wasting firewall resources having to constantly drop connections to these scanners. I would like to make them go away as quickly as possible instead of scanning every port I have.

I wondered whether they could be blocked after trying say five ports or is the firewall doing the same computational work blocking the IP address instead of blocking the port? What is best procedure here? Having said that, if they were blocked by IP after scanning say 5 closed ports, then they would also be blocked accessing any open ports! Is there a firewall rule for this? Or perhaps a honeytrap that would focus the port scanner somewhere else?

Nearly all my open ports are restricted to specific source IP Addresses or restricted by country. I am not sure if the ports show as open or closed when the port scanner is using an IP address/country that is not in the allowed list of IP addresses for that port. Even if they can't connect to that open port, I want the port to appear invisible to them.

Does Iptables support any way to list what the ISP is such as Digital Ocean or Ovh.com. I have found trawling the logs of the firewall that the same names (around a dozen) are coming up again and again. So if I can block the known bad ISP's or Hosted Server services, I can better protect my servers against future attacks which will most likely be launched from these known malware/hacker havens. The problem is these guys keep adding new or different IP address ranges.

There's not much you can do about port scanners, because there are so many of them. Don't open a port to the internet at large unless it is robust, and don't worry about scanners hitting closed ports. There's no reason to waste CPU cycles chasing harmless traffic. You can filter by interface with the "-i" parameter, or block ranges with "iptables -A INPUT -m iprange --src-range x.x.x.x-y.y.y.y -j DROP".

Your code takes all the traffic, in both directions, and ultimately drops it. There's not much reason connecting that host to anything if you want to do that.

If you have a tender service that you want accessible only from certain IP addresses, then drop anything not ("!" parameter) from that allowed address. You can also only allow traffic from an internal LAN. This one protects Distcc from connections outside the LAN:
As far as scanners go, I run OpenSSH on a secret port (listed in /etc/services) and a Xinetd SENSOR on port 22. Almost all scanners will hit port 22, at which time they are blocked for the next 45 minutes, unable to mess with other services. These things are configurable in xinetd.conf. I know you did not ask about Xinetd, but I think it is related. Also consider libwrap.

Also, if you have not already done so, install fail2ban. It should be in your repos.