IPTables and transparent proxies-Collection of common programming errors

I have set up a local, transparent TCP proxy on localhost. I want to redirect ALL TCP traffic to this proxy, so it can handle it and nothing “leaks out,” circumventing the proxy. I need to use IPTables to redirect the traffic. I thought about using TPROXY, but that requires application support and only the REDIRECT target is supported at the moment.

I have used the following IPTables rules:

iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -d -j RETURN
iptables -t nat -A OUTPUT -d -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner proxy-owner -j RETURN
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $PROXY_PORT

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner proxy-owner -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j LOG
iptables -P OUTPUT DROP

They seem to work fine, however I’m confused as to why.

Here are two questions that I still don’t know the answer to:

1) Regarding the last rule in the NAT table, why do I only want to redirect SYN packets to the local proxy port (--syn)? I want to redirect ALL TCP packets. In the current configuration it seems like only the SYN packet is redirected to the local proxy, and all other packets are allowed to directly flow to the destination, leading (in theory) to a total mess (or all except SYN being blocked by the filter table). However, if I drop the --syn option and redirect ALL packets to the local proxy, the proxy does not work at all. Why?

2) Regarding the 4th rule in the filter table, why do I need to explicitly allow outgoing established connections? The proxy is the only application that is allowed to send packets to non-localhost destinations anyway, and it already is allowed to do so (rule 3), so what do I need the 4th rule for? It seems like it allows non-proxy connections to circumvent the proxy.

Thank you!