How do I force VPN clients to only go through a local SOCKS5 proxy?

I have a Raspberry Pi which establishes an SSH connection to a remote server (VPS) and opens a port on the Pi so I can use it as a SOCKS5 proxy. This is the command I use to establish the tunnel: ssh -D 1080 -f -C -q -N user@hostname The reason for this is that the network blocks VPN using DPI but not SSH. So I have setup a VPN on the LAN and setup a SOCKS5 proxy (same Pi). The problem is, if the proxy is down, then the VPN outbound traffic (so where it is no longer VPN traffic but just regular HTTP(S)) will not use it and attempt to send those requests through the network firewall anyway. I want to stop this from happening so that if the proxy is down, the VPN will not allow any connection outbound. This shows you how it is supposed to work ______________________________ | | | Client | |______________________________| | | L2TP over IPSEC ________________|_______________ __ | | | | VPN (192.168.1.XXX) | | |________________________________| | ________________|_______________ |-RaspberryPi | | | | SOCKS5 (127.0.0.1:1080) | | |________________________________|__| | | SSH tunnel ________________|________________ | | | VPS (Amazon EC2) | |_________________________________| | / \ / \ the internet These are my iptables: *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j MASQUERADE -A POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT -A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT -A FORWARD -d 192.168.43.0/24 -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT -A FORWARD -j DROP COMMIT This was the script used to make the VPN https://github.com/hwdsl2/setup-ipsec-vpn So my question is: How can I change these iptables to force the VPN clients to only use a SOCKS5 proxy on the LAN? (otherwise DROP their non-proxy destined packets)