How do I figure out what prevents incoming connections on a certain port?

I would like to enable SSH connections on an additional port on my machine, for reasons. It is a physical machine (not a VM), running Devuan GNU/Linux Chimaera (~= Debian 11.0 without systemd). The default SSH server (OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k) is running fine and accepting connections on port 22 already.

I've added two Port entries to my /etc/sshd_config:

Port 22
Port 5123

and have restarted the service.

What I now experience is that from within the same machine, I can connect to both ports (ssh -p 5123 localhost works); but from other machines on the LAN, I can only connect to port 22. This is a physical LAN (cables running to a switch), so there should be no blockage along the way.

• I couldn't find any mention of a rejected connection in /var/log/auth.log.
• I checked /etc/hosts.allow and /etc/hosts.deny - they're both empty (except for comment lines).
• I tried iptables --list - all tables are empty.

So, what could be blocking the connection on port 5123 from other machines, and how can I unblock it?

Edit: Additional information:

# lsof -Pi :5410
COMMAND   PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd    27566 root    3u  IPv4 19305483      0t0  TCP *:5410 (LISTEN)
sshd    27566 root    4u  IPv6 19305485      0t0  TCP *:5410 (LISTEN)

# iptables-save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
# iptables-legacy-save 
# Generated by iptables-save v1.8.7 on Sun Oct 10 09:30:15 2021
*filter
:INPUT DROP [3837243:374065333]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8124295:583169789]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Oct 10 09:30:15 2021

So it looks like there's a rule for accepting port 22 as input, but no such rule for port 5123. The question remains, though - what's the cause of this situation?

# cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

On Debian 11, and Devuan Chimaera, iptables is actually a symlink:

# readlink  `which iptables`
/etc/alternatives/iptables
# readlink -f `which iptables`
/usr/sbin/xtables-nft-multi