While you may be using Ubuntu, this question is not Ubuntu-specific, but Linux-specific, so I think it would be better to ask it on ServerFault.

Answer to the original question (before OP edited it)

Your rule in INPUT chain is correct, but the rule in OUTPUT chain is wrong. You want to drop there packets addressed to the mentioned IP, not the ones coming from it (which is pointless in this chain).

That's why you have to change -s (--source) to -d (--destination) in the rule:

# iptables -A OUTPUT -d 172.21.7.188 -j DROP

But even when you were dropping only incoming packets, it was kind of enough, one could say. It's true that ping was returning (ICMP echo reply was reaching your host) without above line, and consulting tcpdump or wireshark would show ping-related datagrams (i.e. outgoing and incoming), but the ping application wasn't receiving incoming datagrams, because they were dropped.

Obviously it's rather unwise to drop only incoming packets in most of the cases, because it leads to different state on both ends of the connection (at connection level or at application level).

Answer to edited question

If after correction it still doesn't work, then I suspect your firewall has already some rules that make your new rules unreachable. The way you added your rules makes them appended at the end of the chain. You should remove your new rules first (same commands as for appending, but change -A to -D).

Now add your rules to the beginning of chains (i.e. insert them at given rule number 1) they are suited for (same commands as for appending, change -A to -I):

# iptables -I INPUT  -s 172.21.7.188 -j DROP

# iptables -I OUTPUT -d 172.21.7.188 -j DROP

Now it should work.