iptables does not support dynamic IP addresses/hostnames, but you can have it update the rule to the correct IP address whenever it changes.
Instead of redirecting the packets to the SNAT chain, create a new chain that sits in the middle which then redirects the rules to the SNAT chain. So, instead of
POSTROUTING -> SNAT, it goes
POSTROUTING -> DYNAMIC -> SNAT.
Create the new chain:
sudo iptables -t nat -N DYNAMIC
Add the rule, replacing
-j SNAT [...] with
sudo iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 192.0.2.2 -j DYNAMIC
Add the firewall’s IP address to the DYNAMIC chain (the rule applies to all packets in the DYNAMIC chain, because the filtering is done in the previous rule):
sudo iptables -t nat -A DYNAMIC -j SNAT --to-source 192.0.2.15
Now, test the rule and make sure it works as expected. Whenever there is a change to the firewall’s IP address, you can simply flush the DYNAMIC chain and add the rule again:
sudo iptables -t nat -F DYNAMIC
sudo iptables -t nat -A DYNAMIC -j SNAT --to-source 192.0.2.58
You can definitely automate the last two commands if you have a way of knowing what the new IP address is and when it changes. Obviously, if it’s possible to give the firewall a static IP address, that is definitely the preferred option.