Thank you Ramoni, you beat me to the punch. The PREROUTING chain is for packets inbound and forwarding through the host (I believe), not packets that are generated on the box and will be going out to the world. For packets generated on the box and going out to the world the OUTPUT chain is what you want to add your rules to.
IMHO there is nothing wrong with testing from the box that is doing the (trans)proxying it's self, you just have to be aware that it will follow different rules than the rest of the network. The same applies for IPSec VPNs via (Free|Open)SWAN. I personally always start testing from the firewall it's self via pings, but I include the "-I" parameter to tell ping what IP to use thus emulating traffic that will be coming in from the LAN vs just going out via the WAN. IMHO this is better in the long run to know how to do as you can do some preliminary testing via SSH connections with out having to have any access to a client system. Thus you should know how to do the testing from the firewall it's self.
Grant. . . .
