using iptables/tc to traffic shape

[Flaherty, Patrick]

I'm trying to be able to simulate slow/throttled/crappy internet for a
client server app. My plan was to have the client connect to eth0, use
an iptables preroute dnat to the destination, and have a static route
for the destination go thru eth1, where I could use tc on eth1 to
simulated different network issues.

My theory:

client:192.168.100.10
throttler:192.168.100.50
throttler:192.168.100.51
destination:192.168.100.100

packet leaves client on ephemeral port for throttlerbox:443
packet arrives at throttlerbox:443
iptables nats packet to destinationbox:443
static route for destinationbox:443 sends packet to eth1
packet leaves  box on eth1 on an ephemeral port for destinationbox:443
...and there's the return trip which I don't need to map out.

I can't seem to get this to work though. The dnat rule gets a single hit
but the packet doesn't show up at the throttler:eth1. A little birdie
said he's never been able to get it to work thinking that the kernel was
being efficient and ignoring routes for packets destined for a network
on the interface they came in on. 

Anyone ever see this before? Know how to do this correctly? Yes it would
be easier if I just hung a hub off the throttler and had it act as a nat
box, but that would be inconvenient for the devs and the testers.

Here are the rules I tried (i've done about 30 variations on natrules)

#turn on natting
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#accept established connections from eth1 to eth0
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED
-j ACCEPT

#accept all traffic on eth0, send it thru eth1, seems like *some*
packets should show up on eth1 eh?
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

#traffic on eth0 
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT
--to-destination 192.168.100.100:443

Beers at the next gnhlug for a solution?

Patrick