Docker 101 : A dive into the Bridge networking model for containers

The networking models for containers are bridge, none, and host, bridge being the default one.

Docker uses a virtual Ethernet interface - veth - to connect the virtual docker bridge - virtual switch is created to connect containers to the host and to each other - to the containers.

Docker also assigns a network namespace - network stack, network interfaces, ... -  to each container.

The virtual interface - veth - is like a virtual cable that connects the virtual docker bridge to the container's namespace.

Traffic coming from outside the host on port "88", will go through the bridge - docker0 and it will be routed to the virtual interface of the container on port "80" as demonstrated in the below example:

Let's look at the below example:

Below is the command that allows us to do the port forwarding described above:

  • Port "88" : represents the host's port. 
  • Port "80" : represents the container's port.

To see the virtual bridges on a system, we could use the below command:

Let's check the interfaces inside the nginx container:

We have among other interfaces, the virtual interface number 32 named eth0@if26 has the ID: 26

We check the interfaces on the host and we see that the virtual interface vethfcc45a@if32 on the host is linked to the virtual interface eth0@if26 of the container as we can see below - interfaces on the host -:

The virtual interface vethfcc45a@if32 of the host and the virtual interface eth0@if26 in the container constitute the two ends of the virtual cable "veth".

The virtual interface vethfcc45a@if32  is connected to the virtual docker bridge - docker0 - which is also connected to the host's interface "eth0".

To allow containers to send packets outside of the host, we would need to allow masquerading - snat : Source Network Address Translation - using the postrouting iptables rules which are applied to a packet right before it leaves a network interface.

The snat - postrouting - rule are created for outgoing traffic, we could list then using the below command:

  • : is the pool of addresses assigned to the containers.
  • : represents any destination.
For the incoming packets to be able to reach the containers, docker creates a dnat - prerouting - rule as follows:

We map 
destination port "88" on the host to port "80" of the container
The dnat rule modifies the destination data - address, port - of the packet.


The prerouting iptables rule are applied to a packet when it enters a network interface.


Leave as a comment: