Iptables – Only Allow Localhost Access

So, iptables basically remembers the port number that was used for the outgoing packet (what else could it remember for a UDP packet?),

I am pretty sure for UDP the source and destination ports and addresses are stored.

If you want to inspect the state tables install conntrack and/or netstat-nat.

(What would happen, if I accidentally tried to start a service on that port within the timeframe - would that attempt be denied/blocked?)

Since you are using OUTPUT and INPUT your are talking about local services. The port is already used I don't believe your system will allow you to start up another service since something is already listening on that port. I guess you could stop the first service and start another if you really wanted to though, in that case the response would probably get to your service. What the service does with the packet depends on what the contents of the packet is, and what service it is.

If your machine has multiple interfaces, and you try to communicate with the IP on one of these other interfaces, the traffic will actually go over the lo interface. Linux is smart enough to figure out this traffic is destined for itself, and not try to use the real interface.

The rule -A OUTPUT -o lo -j ACCEPT will allow this other traffic, while the rule -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT would reject it.

.

You can see everything the kernel will route over the loopback interface by running

ip route show type local table all

(just note the first value, which is either an IP or a network/mask)