I don't know if you can do it without layer7 analysis, you can try -m string. I don't use iptables.
Trying to discern the HTTP_HOST header before layer7 is probably impossible, which is why it shouldn't be handled at the network level. You'd probably have to use -m layer7 if you want to use iptables.
As for defending myself, I decided to ask a few people to read this thread, several of them work for savvis, a couple work at softlayer, one at dreamhost, one at akamai (she did make fun of me for not knowing where mantioba was, though), and one at theplanet (not to mention I myself have more experience dealing with large-scale networks than you, since this is apparently a penis contest now...), all as network technicians, and they all came to the same conclusion, you're the idiot, not me. Your approach gives no thought whatsoever to performance, and is overly paranoid, but also lacks understanding. It isn't secure because you have systems on your private LAN and off your private LAN running on the same physical machine, and you trust VMWare implicitly.
Your network is a wonderful playground and all that, and actually can host websites effectively, but not on different servers, even if you had more than one IP it's just dumb. You run one web server and learn how to chroot and manage permissions, you don't spawn a new virtual machine everytime you want to host a new website, it's a waste. Database servers were meant to be run as servers for scalability and performance by separating them from the same physical machine as the applications using them, not security, they are all capable of using unix sockets too, you know.