The best is to block all the ports (iptables default to DROP) and open only what you need (probably port 5060 at least for your asterisk server). If you need to administer asterisk from outside, port 80 needs to be open if you administer it from a web browser or port 22 if you use ssh.
Update:
For Asterisk, I don't think you need other ports open and even not sure you need 5060 open. If you only receive calls coming through your voip provider (with a trunk) there is no need to open 5060.
You need to open 5060 if you have extensions (or another Voip PBX) connecting from the internet but I don't recommend that if you can avoid it. You can use a VPN instead.
Tbh I think better using asterisk in the LAN (behind a router/server with NAT and firewall), without direct connection to internet. In this case, your internet facing server (or router) has to port-forward the RTP ports range you use in asterisk (8000-10001 possibly) to your asterisk server. You need also to port-forward 5060 if you receive new connections on it.
Obs: a new call received from a trunk (DID for example) is not a new connection to 5060 because the connection to your voip provider using the trunk is initiated by asterisk so it is in RELATED or ESTABLISHED state for the firewall and should be already authorized by the router firewall (if not, you probably have no internet in the LAN).