I did check iptables after shutting down fail2ban, and there weren't any entries in there except the ones I expected. Also tried flushing all the iptables tables entirely and resetting their default policies to ACCEPT, just to be certain. No dice.
If the ISP has done something, I would guess it's intended to be permanent, since the failures have been happening for three weeks. Hopefully that's not it, as there's probably no solution there.
Issue with the router or another network device is certainly possible. I guess next thing I'll test will be to just eliminate all that and connect my webserver directly to the cable modem (I guess the modem could also be at fault, ugh). I'll try that later in the evening when I can take the network down without anyone getting upset. If that doesn't work, I'll also take your suggestion to use another machine as the webserver (I guess I can use my laptop) and connect that directly to the cable modem.
Thank you both so much for all the troubleshooting suggestions so far. Will report back once I've been able to try this.
If none of this works, I'll probably switch to using dns-01 challenges; my DNS provider has an API I can use to automate poking TXT records into my zone, which hopefully will work if all else fails.