You can add these rules to the htaccess file in your site root:

# check if the request is for the images folder
RewriteCond %{REQUEST_URI} ^/images/

# check that it isn't a request for an image
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif|bmp)$ [NC]

# check that it isn't a request for the 2 ok php files
RewriteCond %{REQUEST_URI} !^/images/(gradient|rgba)\.php$

# forbid access
RewriteRule ^ - [L,F]

This should make it so any request for /images/ that doesn’t end with jpg/jpeg/png/gif/bmp (or whatever other extension you want to add to the regular expression) or isn’t gradient.php or rgba.php, will result in a 403 forbidden.

EDIT:

I don’t want them to be forbidden, I just want them to not execute – it’s an upload folder, so I basically want it that if someone uploads a JPG that is secretly PHP code that I haven’t detected, that it won’t run

as long as jpg and other images are mapped to the correct mime/type (via AddType image/jpeg .jpg) then it won’t get handed to the php handler and whatever code is there won’t get executed. If you want to serve all files using the default handler, you need to set AddHandler default-handler php in the htaccess file in your images directory. You’ll then need to move the gradient and rgba files out to some other directory. You can’t selectively set handlers from an htaccess file, though you may be able to use <Location> blocks to set handlers in your vhost config.

EDIT 2:

I was wrong, you can use the H flag to set a custom handler using a rule. So in the above rules, instead of [L,F], you can do [L,H=default-handler] so that anything that isn’t an image or gradient.php or rgba.php will get sent to the default-handler (e.g. php files will get sent as-is, and not handled and executed by mod_php).

So you can just do:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/images/(gradient|rgba)\.php$
RewriteRule ^ - [L,H=default-handler]