Tvheadend

Not sure about whether it's the ACL that would prevent that - thought the fact that the problem appears when you change it would be suspicious, I agree... I'd guess that it's using the loopback address and not the "real" IP address, which is normal for a Linux system. That means it's using 127.0.0.1, so try adding a rule for that as well.

You can confirm whether it's the ACL in the debug messages, as I think something is written out to the log if wrong credentials are given - in this case, a not-allowed address.

The only error message it gives is "subscription: 004D: No input source available for subscription" which I think means it doesn't receive a signal on the specified address. I also had the thought that using 127.0.0.1 might work, but how do you use two IP addresses (or ranges) for the same rule? My guess would be that when a request comes in it goes through the ACL looking for a name and password match first and if it finds one it then checks the ACL to see if access is allowed, and if not it just denies the request. So I just wondered if something like 192.168.10.0/24, 127.0.0.1 would be legal syntax (or maybe with just a space and no comma). I have to be very careful not to lock myself out of the system because there's no desktop or GUI on the actual system running TVHeadEnd, so I'd be kind of screwed if I denied myself access by using improper syntax for the Access Entries.

After some clarification it turns out that 192.168.10.0/24,127.0.0.1/32 is the correct format in this case. TVHeadEnd wants to see address ranges (it will add the /32 if you only specify a single IP address) but multiple ranges are separated by commas or semicolons.