Yup, thanks for confirming my hunch. I'm motoring along now with my rules but I've hit a couple of snags:

1. Sat. One cannot access Sat. Two because (I'm assuming) there's no route back to One from Two? I've added an allow rule to permit Sat. One from accessing Sat. Two and I see green packets in the Live Log, but I cannot connect; I even tried connecting to Sat. Two's SnapGear's Web Mgmt Interface, but no luck. This is actually the behavior I'm after, but obviously I'd like to know why.

2. Any node on the 10.0.1.0/24 network can access any node on either Sat. One or Sat. Two. This is not desired. I thought that the SnapGear would drop all packets on the WAN interface by default -- regardless of tunnel -- but it's not. I'm going to check out the SnapGear dox as to why, but I'd also like to drop packets from all 10.0.1.0/24 nodes except for one particular host and would like to enforce that in the Astaro's packet filtering rules.
My first rule is "Internal (10.0.1.0/24) -> Any" which I'm assuming is allowing access to all the tunnel networks. My plan was to do something like:
#1 "Internal (10.0.1.0/24) -> ALLOW -> Internet"
#2 "Internal (10.0.1.0/24) -> ALLOW -> Internal (10.0.1.0/24)"
#3 "Internal (10.0.1.0/24) -> DROP -> group ('Satellite Locations')"

but I'm not sure if this is the way to go and/or what to use for "Internet".