with several interfaces on the machine you can assign them to
distinct IP stacks.  the services on an outside stack can be distinct
from those on the inside stack.  i do this at home and at work
to control access to services.   one of the interfaces can be
bind to the `pkt' interface, which allows a process to act as
source and sink of IP packets for that interface.
such a process can have pkt interfaces set on separate
IP stacks and can therefore do arbitrary filtering between
them (but you need to write that code).
see man 3 ip  for a start.