The "everything else blocked" part is easy;
iptables allows you to set the policy for both input and output packets; you will eventually want DROP as the policy for both.
But first, I recommend setting up the other rules and making sure they are functioning; otherwise, frustration is bound to ensue.
HTTP uses TCP port 80
DNS uses UDP port 53
DHCP uses UDP ports 67 (to server) & 68 (to client)
Further, I will assume your Raspberry Pi has two ethernet interfaces: one for the hotspot, and one to connect to the outside world. I have randomly chosen eth1 as the hotspot interface for this server.
So the rules you will need are
Code:
iptables -A INPUT -i eth1 -d 192.168.0.44 -j ACCEPT
iptables -A OUTPUT -i eth1 -s 192.168.0.44 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -dport 80 -j ACCEPT
iptables -A OUTPUT -i eth1 -p tcp -sport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -dport 53 -j ACCEPT
iptables -A OUTPUT -i eth1 -p udp -sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -dport 67 -j ACCEPT
iptables -A OUTPUT -i eth1 -p udp -dport 68 -j ACCEPT
With these rules, run the server for a bit, using it as a hotspot, and check that all the rules are getting used (iptables has a list command
iptables -nvL, which will display the number of packets processed by each rule).
Note that DHCP does not work the same way as either HTTP or DNS; it uses one port for traffic directed to the server, and a different port for traffic directed to the requesting client.
Once everything seems to be working correctly, add these rules at the beginning of your configuration:
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -i eth0 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
These will implement the "everything else blocked" part of your requirements. Note that your server still needs to talk to the external interface, and to internal processes via the loopback interface; therefore, you need the 4 rules at the beginning of this block.
Good luck