UPnP is tricky from a firewall point of view. The query goes from a random port to a multicast address on port 1900, the answer comes from some other address and port to the random port in the query.
Query: 172.16.32.169.62214 > 239.255.255.250.1900: UDP, length 138
Answer: 172.16.32.12.58589 > 172.16.32.169.62214: UDP, length 509
I don’t off hand know what iptables rules would allow this if the usual -m state --state established,related doesn’t catch it, other than allowing UDP in general from your local network.