Thank you for pointing me to ufw.
That was easier to setup, here are my rules that do what I want:
ufw default deny incoming
ufw default deny outgoing
ufw allow from 192.168.2.0/24
ufw allow out from any to 192.168.2.0/24
ufw allow out 53
ufw allow out http
ufw allow out https
ufw allow out from 192.168.2.1 to 224.0.0.251
I had also to add:
# ok icmp codes for OUTPUT
-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT
to before.rules file to make ping to work properly