Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you
deny access to
group2 first, then
grant access to
group1 -- but that would rely on the
order of the ACLs; extremely fragile. Not recommended.
Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus:
drwx-----x root:group2 /upper/
drwxrwx--- root:group1 /upper/lower/
If you use an administrator user account, you can of course replace the
root above.
upper directory grants traverse rights to everybody except
group2, then
lower grants access to
group1.
You can add further excluded groups to
upper in ACLs, and further access grants to
lower ACLs.
It is important that you don't grant anybody write access to
upper, so that the access mode for
lower stays intact. This is easiest if you keep
upper otherwise empty, and only grant the traverse access. Remember,
everybody except the denied users and groups have access to
upper.
In most cases, you can of course symlink
/somedirectory to
/upper/lower . The kernel will internally always traverse the two directories and apply the necessary access tests.
Hope this helps,
Nominal Animal