Why do we use redsocks+iptables instead of using iptables only?
Because “all traffic” does not speak the SOCKS protocol. A SOCKS proxy expects its clients to speak SOCKS. That’s where redsocks comes in: It terminates TCP connections and speaks SOCKS “on the other end”.
SOCKS is also a TCP-based protocol. When a SOCKS client connects, the following happens:
- TCP handshake (SYN →, SYN-ACK ←, ACK →)
- Client sends a SOCKS connection request (as described on Wikipedia)
- Server sends SOCKS response
- (If successful thus far) Data exchange with actual target takes places (eg. sending an HTTP request)
If you just redirect whatever to the SOCKS proxy, this exchange will fail at step 2: The server will receive what it perceives to be garbage data (eg. the HTTP request that is supposed to come only in step 4) and terminate the connection.