One more thought.
I don’t know anything about virtual connections, as I said earlier, but another way to have to IPs is to assign them both to one physical interface. You can do it with NetworkManager, I’ve done this.
In this case if we were using iptables then you could either:
Check for destination IP address in addition to port for incoming packets in each rule.
Make two rules like this If destination IP is IP1 then use chain INCOMING_IP1 and the same for IP2.
Then in each chain you would accept packets with permitted ports and drop all the other.
I don’t know how to do additional chains in Firewalld. You have something called “rich rules” and also direct configuration in firewalld, maybe one of these can be used.
But maybe there’s a way to implement (1) quite easily. Check
man firewalld.service. Service definition can contain destination address. Destination address for incoming traffic should be one of your two IPs.
I usually copy some service.xml file from
/etc/firewalld/services/, rename it to something like
my-sshd.xml, then change it to suit my needs – for example change port for sshd from 22 to something else.
then I do
sudo firewall-cmd --add-service=my-sshd --zone=my-zone --permanent
sudo firewall-cmd --remove-service=sshd --zone=my-zone --permanent
Be very careful with changing sshd port in this way on remote host as you can easily cut yourself out!
You can do similar thing and add destination address to service definition.
I can’t test if this works right now, but it’s something to try.
It may also not be the best way to accomplish what you want performance-wise, but it can work.
How about this idea?