You can try this on your host, assuming you have a “NAT” connection.
Iptables rules can accomodate your needs nicely. Instead of whitelisting all entry nodes (which would be a quite large and convoluted list), see what your current Entry/Guard node is. You can see this by using Nyx in the Gateway. Once you know this, on your host, set rules like this (with sudo privileges):
First, default drop policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
These will make it so everything NOT listed as a rule will be discarded/dropped. You will cut off all incoming and outgoing traffic except for what is explicitly defined with an iptables rule.
iptables -A OUTPUT -p tcp -d [entry-guard-ip] --j ACCEPT
And for incoming,
iptables -A INPUT -p tcp -s [entry-guard-ip] --j ACCEPT
Right under that,
iptables -A INPUT ! -a [entry-guard-ip] --j DROP
You do not need any dns rules for Tor on your host. You do need localhost though for both incoming and outgoing:
iptables -A INPUT -i lo --j ACCEPT
iptables -A OUTPUT -o lo --j ACCEPT
This enables your host to talk only to Tor. The entry/guard is the only IP that can communicate in either direction, and localhost of course. Put those rules into a small script, give it chmod +x privs and run it before you start Whonix. Keep in mind, entry guards change periodically, so every now and again, check Nyx to see what the current one is and adjust the iptables rules. Those wll get you started. I encourage you to take a closer look at the Whonix Firewall code for both the Gateway and Workstation on Github. There are some useful, all purpose rules that you can optionally add to your configuration.