Building a Local Cybersecurity Practice Environment With Docker

Docker is one of the most powerful and overlooked tools for cybersecurity practice. With a few simple commands, you can emulate:

Servers, Workstations, Vulnerable applications, Internal networks, Multi-segment architectures, Attack/defense environments

Unlike VMs, Docker uses containers—lightweight, fast, reproducible. With correct networking, your containers can even appear as local devices, allowing you to practice recon, lateral movement, scanning, and exploitation scenarios in a realistic environment.

This guide explains how to build a local practice network using Docker, create isolated networks, run vulnerable machines, and—optionally—expose them as local IP devices.

1. Install Docker

Linux (Ubuntu)

sudo apt update
sudo apt install docker.io docker-compose-plugin
sudo systemctl enable --now docker
sudo usermod -aG docker $USER

Log out / log in.

macOS / Windows

Install Docker Desktop from docker.com.

2. Basic Concepts for Cybersecurity Labs

To emulate a real network, you need to understand 3 Docker components:

ComponentDescription
ContainersAct like lightweight virtual machines. Good for running apps, servers, vulnerable software.
Docker NetworksVirtual switches. You can create multiple networks for segmentation.
Bridge Mode (default)Containers get private IPs (e.g., 172.18.x.x).
Good for making an internal lab.
Macvlan ModeAllows containers to appear on the real LAN with their own IPs.

Macvlan Mode is perfect for:

  • Nmap scanning
  • Wireshark packet captures
  • Simulating networked devices

3. Create a Basic Internal Lab Network (Bridge)

If you want containers to talk to each other but stay isolated from your real host network:

docker network create --subnet 10.10.10.0/24 internal_lab

Example: Start a web server + a vulnerable machine:

Web server

docker run -d \
  --name web01 \
  --network internal_lab \
  --ip 10.10.10.10 \
  nginx

Vulnerable machine (DVWA)

docker run -d \
  --name dvwa \
  --network internal_lab \
  --ip 10.10.10.20 \
  vulnerables/web-dvwa

Attack machine (Kali container)

docker run -it \
  --name kali \
  --network internal_lab \
  --ip 10.10.10.100 \
  kalilinux/kali-rolling bash

Now you have a small virtual network:

DeviceIPUse
web0110.10.10.10Web server
dvwa10.10.10.20Vulnerable web app
kali10.10.10.100Attack box

From the Kali container:

nmap 10.10.10.0/24
curl 10.10.10.20

4. Making Containers Appear as Local Devices (Macvlan)

Macvlan puts containers directly on your LAN with real IPs.

This allows:

  • Your real machine to scan them
  • Network tools to see them as separate hosts
  • Perfect simulation of small business networks

⚠️ Requirement: Your network must allow multiple MAC addresses per port (most home routers do).

Step 1: Identify your network interface

Linux:

ip a

Example interface: eth0

Step 2: Create a macvlan network

Replace 192.168.1.0/24 with your LAN.

sudo docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=eth0 \
  lab_lan

Step 3: Launch containers with real LAN IPs

docker run -d \
  --name apache01 \
  --network lab_lan \
  --ip 192.168.1.50 \
  httpd 
 
docker run -d \
  --name win-vuln \
  --network lab_lan \
  --ip 192.168.1.60 \
  vulnerables/metasploitable

Now you can run:

nmap 192.168.1.0/24

And you will see:

  • 192.168.1.50 (Apache server)
  • 192.168.1.60 (Metasploitable)
  • Other real devices

Your containers behave like actual network devices.

5. Optional: Create a "network tap" so the host can talk to macvlan

By default, your host cannot communicate with macvlan containers. Fix:

sudo ip link add macvlan0 link eth0 type macvlan mode bridge
sudo ip addr add 192.168.1.200/32 dev macvlan0
sudo ip link set macvlan0 up

Now your host can ping/scanning the containers:

ping 192.168.1.50

6. Using Docker Compose (Recommended)

Instead of running multiple commands, create a docker-compose.yml:

services:
  web01:
    image: nginx
    networks:
      lab_lan:
        ipv4_address: 192.168.1.50
 
  dvwa:
    image: vulnerables/web-dvwa
    networks:
      lab_lan:
        ipv4_address: 192.168.1.60
 
networks:
  lab_lan:
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1

Launch everything:

docker compose up -d

7. Example Cybersecurity Practice Scenarios

Recon & Scanning

  • Use Nmap from the host or from a Kali container
  • Test ARP scans, TCP scans, service enumeration

Web exploitation

  • DVWA
  • Metasploitable 2
  • WebGoat
  • Juice Shop

Segmentation testing

Create two networks:

docker network create netA
docker network create netB

Place some devices in netA, others in netB. Simulate firewalls by linking only certain services.

Malware analysis (safe mode)

Use isolated bridge networks (NOT macvlan) to prevent malware from reaching real LAN.

8. Best Practices for Safe Cybersecurity Labs

  • Use isolated bridge networks for malware experiments
  • Avoid exposing vulnerable containers to the actual internet
  • Stop/clean containers regularly
  • Version control your Docker Compose lab setups
  • Use non-standard IP subnets (10.x.x.x ranges)
  • Take snapshots using container images

9. Conclusion

Docker gives cybersecurity practitioners a fast, flexible, and safe environment for:

  • Network simulations
  • Vulnerability testing
  • Service enumeration
  • Segmentation experiments
  • Small-scale enterprise replicates

With macvlan, containers can behave like real devices on your LAN, letting you practice reconnaissance, pivoting, and network mapping exactly as you would in a real organization.

Love it? Share this article: