Does NAT-ing rewrite the source IP in packets?

Solution 1:

So, my question is: Does NAT-ing the way I've set it up automatically change the source IP of packets so they appear to come from the bastion, or will they contain the original source IP, in this case 1.2.3.4?

No, DNAT doesn't change source ip, only destination. DNAT - Destination Network Address Translation

How would I know if IP forwarding was enabled on the bastion?

The following command should return 1

# cat /proc/sys/net/ipv4/ip_forward

And how can I make iptables perform SNAT (if that's in fact what I want - I want all traffic inside the VPC to appear to come from the bastion, and for the bastion to then redirect it back out appropriately)?

# iptables -t nat -I POSTROUTING -p tcp -s 1.2.3.4 -d 5.5.5.5 --dport 2222 -j DNAT --to-destination 10.3.3.3:22

Solution 2:

You have configured DNAT, or "destination NAT", which means that your gateway is rewriting the destination address of connections matching that rule. The source address remains the same, as you should be able to tell if you run tcpdump on the outbound interface of your bastion host or on your app server.

This means that the app server is attempting to return packets to the address of your origin host, 1.2.3.4 in your example. Whether or not this will work depends on how your hosts are all connected.

A simple solution would be to replace your iptables rule with a simple tcp proxy (e.g., haproxy, pen, balance, etc). Have the proxy listen on port 2222 on your bastion host and forward connections to port 22 on the app server and it will just work, because from the perspective of the app server connections originate on the bastion host.