I was doing some work setting up iptables for a Bro cluster, and found that the open ports necessary aren't well documented. I took an initial stab at documenting this at: <https://gist.github.com/3776670>.
It's quite possible that the rules are more permissive than they should be (e.g. I'm not sure if the proxy needs to be able to reach the workers, if the workers need to be able to reach the proxy, or both). Also, I didn't cover the case of multiple proxies, since I'm not sure what the requirements are there.
Hope this is a useful jumping-off point. Thanks,