Containerized applications run in isolation, so they can't see the resources of the host they "live" in.
So they don't have direct access to the host resources like network interfaces, network ports, ...
For example, we could have an nginx container listening on port "80".
This port - "80" - is only visible to the container and the application running inside it - nginx -.
So for us to be able to connect to the container's port "80", we will need to choose a port on our host - 88 for example -, then "forward" all the traffic the host get on the port "88" to the container's port "80".
We could do that by instructing Docker to do port forwarding using the below command:
Port on the host : 88.
Port on the container : 80.
The requests that arrive on port "88" on the local host will be forwarded port "80" on the container - nginx -.
In order to use "privileged" port numbers - lower that 1024 -, we will need to have administrative access to the machine - root for example -.