Ready-to-Use Docker Compose Cybersecurity Practice Lab

Below is a complete, ready-to-use Docker Compose cybersecurity practice lab, including:

  • Kali attacker
  • DVWA (web exploitation)
  • Metasploitable 2 alternative (Docker)
  • OWASP Juice Shop
  • Internal DNS + Web server
  • Separated networks (internal_net and public_net)
  • Optional macvlan mode version so containers appear as real LAN devices

You get two versions:

1 Standard isolated lab — safest for practice 2 Macvlan version — containers behave like real devices on your LAN

Safe, Isolated Cybersecurity Lab (Recommended)

Create a file:

docker-compose.yml

Paste:

version: "3.9"
 
services:
 
  kali:
    image: kalilinux/kali-rolling
    container_name: kali
    tty: true
    command: ["/bin/bash"]
    networks:
      internal_net:
        ipv4_address: 10.10.10.10
 
  dvwa:
    image: vulnerables/web-dvwa
    container_name: dvwa
    networks:
      internal_net:
        ipv4_address: 10.10.10.20
    ports:
      - "8080:80"   # optional external access
    restart: unless-stopped
 
  juice:
    image: bkimminich/juice-shop
    container_name: juice
    networks:
      internal_net:
        ipv4_address: 10.10.10.30
    ports:
      - "3000:3000"
    restart: unless-stopped
 
  metasploitable:
    image: tleemcjr/metasploitable2
    container_name: metasploitable
    networks:
      internal_net:
        ipv4_address: 10.10.10.40
    restart: unless-stopped
 
  internal-web:
    image: nginx
    container_name: internal-web
    networks:
      internal_net:
        ipv4_address: 10.10.10.50
    restart: unless-stopped
 
  internal-dns:
    image: andyshinn/dnsmasq
    container_name: internal-dns
    cap_add:
      - NET_ADMIN
    command: [
      "-k",
      "--log-facility=-",
      "--address=/dvwa.local/10.10.10.20",
      "--address=/juice.local/10.10.10.30",
      "--address=/web.local/10.10.10.50"
    ]
    networks:
      internal_net:
        ipv4_address: 10.10.10.53
    restart: unless-stopped
 
networks:
  internal_net:
    driver: bridge
    ipam:
      config:
        - subnet: 10.10.10.0/24

How to start

docker compose up -d

Test from inside Kali

docker exec -it kali bash

Then:

ping 10.10.10.20
nmap -sV 10.10.10.0/24
curl http://dvwa.local

You now have a complete multi-host hacking environment fully isolated from your real network.

Macvlan Lab (Containers Appear as Real LAN Devices)

⚠️ This version makes containers visible on your real network, like physical devices.

Update the IPs to match your LAN (example uses 192.168.1.0/24).

Step 1 — Create macvlan network externally

Replace eth0 with your NIC:

sudo docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=eth0 \
  lab_lan

Step 2 — Use this macvlan in Compose

docker-compose-macvlan.yml:

version: "3.9"
 
services:
 
  kali:
    image: kalilinux/kali-rolling
    container_name: kali
    tty: true
    command: ["/bin/bash"]
    networks:
      lab_lan:
        ipv4_address: 192.168.1.50
 
  dvwa:
    image: vulnerables/web-dvwa
    container_name: dvwa
    networks:
      lab_lan:
        ipv4_address: 192.168.1.60
    restart: unless-stopped
 
  juice:
    image: bkimminich/juice-shop
    container_name: juice
    networks:
      lab_lan:
        ipv4_address: 192.168.1.70
    restart: unless-stopped
 
  metasploitable:
    image: tleemcjr/metasploitable2
    container_name: metasploitable
    networks:
      lab_lan:
        ipv4_address: 192.168.1.80
    restart: unless-stopped
 
networks:
  lab_lan:
    external: true

Start:

docker compose -f docker-compose-macvlan.yml up -d

Now from your real machine:

nmap 192.168.1.0/24

You will see:

  • 192.168.1.50 → Kali
  • 192.168.1.60 → DVWA
  • 192.168.1.70 → Juice Shop
  • 192.168.1.80 → Metasploitable

All behaving like actual network devices.

Related Cybersecurity Guides and Tutorials: