How can I make sure all my Mac's TCP traffic goes through a SOCKS5 proxy?



I have a SOCKS proxy with a port.

How can I make my MAC use it? What settings do I change under network settings?


Posted 2014-08-26T01:27:09.747

Reputation: 1 751



Why isn't system preferences -> network -> (Select a network on the left side of the window and choose Advanced in the bottom right) -> Proxies (tab at the top) working for you?

enter image description here


Posted 2014-08-26T01:27:09.747

Reputation: 5 425

9That does not work for all apps. Skype, Chrome and others seem to bypass these settings - at least on 10.10... – Ingwie Phoenix – 2014-12-08T08:54:50.453

What you said is true. It's even mentioned in other comments. The author made it clear they wanted simple, so I started with simple by asking what about the answer I posted wouldn't work for them. Obviously it worked for them because they selected it. Security is not always about the 100% answer. Most of the time it is about risk reduction. – Everett – 2014-12-08T18:25:59.343

1Terminal cannot adopt system network socks5 proxy settings, but app wide will be ok. – E_Jovi – 2017-11-09T09:52:08.077


While setting the system wide proxy settings is a good start, you may also want to look into using iptables to ensure that all traffic is going through the proxy. Some applications do not use system wide configuration settings (Firefox among them), and thus it's imperative that you tailor your rules not to allow direct connections and only to route traffic through the proxy.

EDIT: While I personally use iptables rules to manage potential "leakage" from my VPN, I was actually originally mistaken to think iptables could work with a socks proxy directly. You'll need something like tun2socks in order to make a virtual tunnel interface (such as vpn's use).

Following that, you can set up an iptables script similar to the following:

if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root" 1>&2
    exit 1

# name of primary network interface (before tunnel)

# gateway ip address (before tunnel - adsl router ip address)
# automatically determine the ip from the default route
GATEWAY=`route -n | grep $PRIMARY | egrep "^0\.0\.0\.0" | tr -s " " | cut -d" " -f2`

# provided by tun2socks: interface name

# If you'd like, putting the tun2socks command here is a good idea.  It may or may not be necessary to do so, but either way is more convenient than running the two commands separately.

# iptables rules - important!


# Flush all previous filter rules, you might not want to include this line if you already have other rules setup
iptables -t filter --flush

iptables -t filter -X MYVPN
iptables -t filter -N MYVPN

# Add local routes to routing table
route add -net netmask dev eth0
route add -host dev eth0 gw

# Add ssh routes to routing table
ip route add table 128 to dev eth0
ip route add table 128 default via

# Exceptions for local traffic & vpn server
iptables -t filter -A MYVPN -o lo -j RETURN
iptables -t filter -A MYVPN -o ${TUNNEL} -j RETURN
iptables -t filter -A MYVPN --dst -j RETURN
iptables -t filter -A MYVPN --dst $LOCAL_NET -j RETURN
iptables -t filter -A MYVPN --dst ${SERVER} -j RETURN
iptables -t filter -A MYVPN --dst ${VPN_SERVER} -j RETURN

# Add extra local nets here as necessary

iptables -t filter -A MYVPN -j DROP

# MYVPN traffic leaving this host:
iptables -t filter -A OUTPUT -p tcp --syn -j MYVPN
iptables -t filter -A OUTPUT -p icmp -j MYVPN
iptables -t filter -A OUTPUT -p udp -j MYVPN

Naturally you'll want to make this script reflects your particular network (ie, if you're using something like a subnet, adjust accordingly). Also, it is very tightly based on a script I use with a VPN, hence, all the mentions MYVPN or VPN -- while you're not using a VPN, tun2socks effectively behaves as if you are, so everything should work the same.

And special thanks to this answer over at Unix.SE for steering me in the right direction to answer this one.

EDIT again: So, looks like OS X actually would be doing this with ipfw rather than iptables (sorry, I'm mostly a linux person, and thought OS X had iptables available). There are equivalencies such that the script can be adapted, some of which are pointed out here. man ipfw should set you straight on the syntax. I'll leave the original iptables script up as a template so you can see what is going on conceptually. WaterRoof appears like it may help make using ipfw a little more user friendly; other front ends may be available as well.


Posted 2014-08-26T01:27:09.747

Reputation: 706

I don't want to use iptables because it's too complicated. Tun2socks looks like I need SSH and a server. I just have an IP and a port...How can I just use the IP and port? – Alex – 2014-09-04T00:01:58.920

tun2socks doesn't require SSH and a server; the example on their site is for using SSH to create the SOCKS proxy in the first place. If you already have a SOCKS proxy, it's entirely unnecessary. And yes, iptables was a wrong way on my part. OS X, being based on BSD, uses ipfw rather than iptables, which is for the Linux kernel. As for it being complicated, you may be able to find a frontend that'll set it up for you in an easier to use manner, but I've no experience on this matter. It being complicated at a low level anyway has a lot to do with why it is so capable for the job. – 0xDAFACADE – 2014-09-04T01:11:40.453

I've added a frontend for you to use to the answer if it helps make navigating ipfw easier. – 0xDAFACADE – 2014-09-04T01:19:43.637


If you can set yourself an SSH server, then the free sshuttle can tunnel all TCP traffic through the connection, doing all the firewall work for you.

To forward all TCP traffic and DNS requests to a remote SSH server, the command is simple enough :

sshuttle --dns -vr ssh_server 0/0

Besides TCP and DNS, sshuttle does not forward other requests such as UDP, ICMP, ping etc.

For more information and examples see the article Using Sshuttle in Daily Work.


Posted 2014-08-26T01:27:09.747

Reputation: 306 093

While the questioner doesn't have an SSH server to use for the purpose, I'd like to at least thank you for reminding me of this great tool and functionality it brings. The simplicity in that syntax is fantastic, and being able to handle either iptables or ipfw on the backend is really a feature worth praising from the rooftops. – 0xDAFACADE – 2014-09-04T20:04:00.310

This does not redirect all TCP traffic, for example if you have VMWare running it bypasses this. – Soheil – 2015-12-03T19:43:18.453


There are a number of solutions available. None of them is as simple as changing some settings: the reason is that this defeats the whole goal of proxying, which is to route some specific application through a different route (for purposes of stealth, security, identity protection...) while leaving you access to the (supposedly faster) local route.

Some are to be discarded because of your requirements, but let me just mention them for the sake of completeness: a VPN, an SSH tunnel, use of pfctl (the packet filter and NAT control interface). Also, Tor, though certainly not designed for the use you have in mind, allows you to route all traffic through their proxies.

All of these applications are free, and require at most some ingenuity to get them going. On the other hand, there are for-pay applications, where most of the work has been done by someone else, though at a price.


enables you to redirect your computer's network connections through proxy servers. You can tell ProxyCap which applications will connect to the Internet through a proxy and under what circumstances. This is done through a user friendly interface, without the need to reconfigure any of your Internet clients

Alternatively, there is Proxifier for Mac (careful: supports only out to 10.8). which

allows network applications that do not support working through proxy servers to operate through a SOCKS or HTTPS proxy and chains.


Posted 2014-08-26T01:27:09.747

Reputation: 41 321


Go to Preferences->Network See if there is a lock on that, click on it and give your system administrator account password. Then Advanced->Proxies->Check on Socks Proxy. Give your proxy settings.

J Bourne

Posted 2014-08-26T01:27:09.747

Reputation: 68