Does NAT-ing rewrite the source IP in packets?

http://serverfault.com – I'm trying to set up port forwarding so that a specific IP (e.g can SSH via a bastion (e.g to an app server ( The bastion and app server are running in a VPC in Amazon with only the bastion exposed to the Internet. I'm using the following rule on the bastion (I've left out the source IP until I get it working): iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 2222 -j DNAT --to but when I try to connect, I get no response. Running tcpdump on the bastion shows that traffic is getting through, so I assume I'm hitting the app server's VPC (HowTos)