With guest console support available this ticket can be simplified in a major way without adding attack surface or complexity.
The scripts for triggering iptables/sdwdate actions on host suspend/resume would reside on Whonix host in the respective systemd directories.