Use a proxy server installed on either server 1 or 3, configured to allow connections to the sites in sources.list from the private network servers. As a bonus, if you go with a caching proxy like squid or approx you'll use less bandwidth for downloading packages common to the servers.
For regular web proxies like squid, you can either set the $http_proxy environment variable before running apt, or edit your apt.conf file (if you're on Debian squeeze, it looks like the configuration is split up into different files in /etc/apt/apt.conf.d/, add a new file) and set
Acquire::http::Proxy "http://user:pass@yourproxyaddress:proxyport";
replace http with ftp if you're using ftp mirrors and an ftp capable proxy.
If you use approx, then you edit the clients' sources.list to point to your approx server instead of the original mirrors instead of setting a proxy in your shell or your apt.conf.
If you don't want to install a proxy, you can use ssh's port forwarding one of a few ways:
1: Change server 2/4's sources.list to use http://localhost:8080/ for the mirrors. If you have more than one mirror host, you'll need to choose different ports (eg 8081) for each one. On server2/4, enable GatewayPorts in sshd_config Then, ssh from server 1 to server 2/4 using
ssh -R 127.0.0.1:8080:http.us.debian.org:80 server2
Use multiple -R commands (eg -R 127.0.0.1:8081:security.debian.org:80) if there are multiple mirrors to tunnel to. As long as this ssh connection remains open, you'll be able to use apt.
2: Use ssh's "dynamic" SOCKS proxy and tsocks to provide SOCKS support for apt-get. To do this, you will have to ssh "backwards" from server2 to server1 using
ssh -D 8080 server1
in one terminal then running tsocks apt-get update etc in another terminal. You'll set the server and port information in /etc/tsocks.conf and the tsocks "wrapper" program will convert the normal http connections in apt to use the socks proxy provided by ssh. This way you don't make any changes to sources.list.
