I have a simple hotspot running, i dont need dns to resolve to the hotspot portal. My hotspot portal address is 192.168.88.2

How do I drop all traffic coming from unauthorized hotspot users?

I want to drop all DNS, ICMP, any and all protocols and ports for unauthorized users. The only thing that they should be allowed is to access this address: 192.168.88.2 or port 80 only

The hotspot will block/redirect traffic to the login page when unauthorized or non-authorized users connect and try to surf. However, without proper HTTPS setup on the hotspot requests to like Google, YouTube or pretty much normal traffic since almost all "major" sites are HTTPS will die and just show a connection error. Also, you can't block DNS. It's needed for the Hotspot to be able to redirect/walled garden things. People just aren't typing in IPs to go to Facebook.

As numerous people have pointed out in numerous posts, the amount of non-HTTPS sites and access that is out there for the public is/has greatly decreased. Only allowing port 80 traffic is going to greatly hamper your users on the Hotspot.

Ah, but you have not understood my post.
I asked:
How do I drop all traffic coming from unauthorized hotspot users?

Meaning, once they are authorized they can access any site, any port.

And I answered. You cannot DROP the traffic, well I guess you could, but how would they log in? Only by getting to the hotspot address? You realize that most devices are going to detect they are on a hotspot/proxied network and send them to the login page?

Again, once the hotspot is active and the users are on that network they will be denied surfing until they log in. Exactly what you are looking for.

but how would they log in?

from my op: They should be only allowed access to the hotspot portal, ie: 192.168.88.2 on port 80 only

You realize that most devices are going to detect they are on a hotspot/proxied network and send them to the login page?

exactly, they will be directed to http://192.168.88.2/login. - which of course they are allowed to access.

Again, once the hotspot is active and the users are on that network they will be denied surfing until they log in.

Well, thats what I thought too, until i found out about DNS tunneling apps like Freedom, and other apps that modify the http headers to bypass the hotspot portal.