Why do people love saying this!
At minimum you’d need:
# Redirect all TCP packets coming in from any vif##.0 interface to host_vif_ip:12345
iptables -t nat -I PREROUTING -i vif+ -p tcp -j REDIRECT --to-ports 12345
# Ensure host_vif_ip:12345 accepts input
iptables -I INPUT -i vif+ -p tcp -m tcp --dport 12345 -j ACCEPT
# No routing, just mitm'ing
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
# And just in-case
iptables -P FORWARD DROP
iptables -F FORWARD
Then run redsocks on 0.0.0.0:12345 [not localhost, as a REDIRECT doesn’t hop interfaces] feed it to your upstream SOCKS server on localhost:1080.
But…you need to account for leaks, you need to deal with DNS, the rules could be refined further such as only new SYNs get redirected, etcetera; stuff the Whonix team has figured out and probably tested.
And then you’d want to make sure your “nym” ProxyVM only allows nym traffic out, etcetera, etcetera. Probably doing this by running whatever daemon it is under a designated uid/gid and doing a -m owner match, and disallowing all other OUTPUT out of the upstream interface (eth0).
The recommendation to disable qubes-firewall is only because it might interfere. Aside from setting up initial user-supplied rules from /rw/config, it dynamically modifies iptables/nft rulesets to ensure packets are forwarded. For your purposes, forwarding is bad [as well as NAT]. Don’t expect any Qube Settings-configured Firewall rules to work.
This is why I say just take the time to understand what Whonix has done and replicate it. Find out what the TransparentPort is in the torrc and see what corresponding stuff iptables has for it. I don’t have much Whonix experience but I presume this is stuff they’ve had to have figured out already.