This project simulates a small production-style infrastructure built with virtual machines using KVM.
The lab demonstrates:
- network segmentation
- firewall configuration with nftables
- internal DNS with bind9
- web service with nginx
- automated backups using rsync
| VM | Role | Software | IP |
|---|---|---|---|
| Router VM | Network gateway, firewall, NAT | nftables | 192.168.100.1 |
| DNS VM | Internal DNS server | bind9 | 192.168.100.10 |
| Web VM | Web service | nginx | 192.168.100.20 |
| Backup VM | Backup storage | rsync | 192.168.100.30 |
The infrastructure is designed to simulate typical interactions between infrastructure services.
External traffic
Internet → Router VM → Web Server
Users access the web service through HTTP/HTTPS.
Internal DNS resolution
Web Server → DNS Server
The web server resolves hostnames using the internal bind9 DNS server.
Backup operations
Web Server → Backup Server
Backup tasks run automatically and synchronize data using rsync over SSH.
This separation of services helps model a basic production-style infrastructure where each server has a dedicated role.
Router VM
- nftables firewall
- NAT gateway
- entry point from Internet
DNS VM
- bind9 internal DNS
Web VM
- nginx web service
Backup VM
- rsync backup storage
Network security in the lab environment is implemented at the Router VM using nftables.
The router acts as the gateway between the internal network and the Internet and performs both firewall filtering and NAT.
Security principles used in the configuration:
- default deny policy for incoming traffic
- only required ports are exposed
- internal services are isolated from the Internet
- NAT hides internal IP addresses
Only the web service is reachable from outside the network, while DNS and backup services remain internal.
Key characteristics of the backup design:
- secure transfer using SSH
- incremental backups using rsync
- automated execution using systemd timers
- centralized storage on a dedicated Backup VM
Debian 12 — operating system used for all virtual machines
KVM / libvirt — virtualization platform used to create and manage the virtual infrastructure
nftables — firewall and NAT configuration on the router VM
bind9 — internal DNS server used for name resolution inside the network
nginx — web server hosting the test website
rsync — efficient file synchronization used for backups
OpenSSH — secure communication between servers
systemd timers — automation of scheduled backup tasks