I was actually thinking the same thing, something that looked like:
iptables -A FORWARD -s ip.of.source.machine -d ip.of.destination.machine -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
But the idea of my web server becoming a layer 3 router is not the direction I want to go. I think it would be advantageous to put a load balancer such a squid in front of the system so I can get as granular as I need on policy, while taking advantage of the reverse proxy caching capabilities. The only problem I can see is how squid might affect ssl traffic.
Another consideration is the proxy, which I have heard Varnish is a much better proxy server than squid in terms of performance. I know nothing else about it other than a few graphs showing it beat out squid in requests per second, etc.
The last option I have been playing with is building a load balancer with the open source "Pen" from siag nu
which is a fantastic little piece of software. It allows load balancing based on TCP port and has tons of options on how to distribute traffic. I would enable the firewall to scan for traffic from the source IP ranges and forward the traffic before it reached the load balancing software, and from there it could pass the "good" traffic to my web servers.