Looks like I have something working now…
*filter
:INPUT DROP [209:41426]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2171:455842]
:f2b-sshd - [0:0]
:fail2ban-asterisk - [0:0]
-A INPUT -p udp -m udp --dport 17000:17200 -j ACCEPT # my rtp ports
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 5060 -j ACCEPT # allow my phones
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT # web access from local pc
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT # ssh from local pc
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 69 -j ACCEPT # tftp from local phones
-A INPUT -p tcp -m tcp --dport 5060 -j fail2ban-asterisk # run fail2ban chains
-A INPUT -p udp -m udp --dport 5060 -j fail2ban-asterisk
-A INPUT -p tcp -m tcp --dport 5061 -j fail2ban-asterisk
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -s -p udp -m udp --dport 5060 -m string --string “sip:(myuserid)@” --algo bm --to 65535 -j ACCEPT # only accept if ISP sends SIP Requests bearing my id
-A f2b-sshd -j RETURN
-A fail2ban-asterisk -j RETURN
This hopefully will block SIP requests from other sources - of course, if someone hacks into my ISP and gets my credentials then this will not help.
By moving rtp traffic to the top it did make a significant difference to the voice quality.
Hope this will be useful.
Thanks very much @_fuz for your help and for @Hockeychap for sharing the solution to use the --string option to filter out undesired SIP Registration requests (How to limit SIP registrations)