Does NAT-ing rewrite the source IP in packets?

Does NAT-ing rewrite the source IP in packets?

I'm trying to set up port forwarding so that a specific IP (e.g
1.2.3.4/32) can SSH via a bastion (e.g 5.5.5.5:2222) to an app server
(10.3.3.3:22). The bastion and app server are running in a VPC in Amazon
with only the bastion exposed to the Internet.
I'm using the following rule on the bastion (I've left out the source IP
until I get it working):
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 2222 -j DNAT --to
10.3.3.3:22
but when I try to connect, I get no response.
Running tcpdump on the bastion shows that traffic is getting through, so I
assume I'm hitting the app server's VPC security groups and not getting as
far as port 22 on it. I think this is happening because while the the
bastion has permission to access port 22 on the app server, IP 1.2.3.4
doesn't.
So, my question is: Does NAT-ing the way I've set it up automatically
change the source IP of packets so they appear to come from the bastion,
or will they contain the original source IP, in this case 1.2.3.4?
If packets do contain 1.2.3.4 as the source IP after forwarding them, how
can I change the source address to be the bastion's?