The networking models for containers are bridge, none, and host, bridge being the default one.
Docker uses a virtual Ethernet interface - veth - to connect the virtual docker bridge -virtual switch is created to connect containers to the host and to each other-to the containers.
Docker also assigns a network namespace - network stack, network interfaces, ... - to each container.
The virtual interface - veth - is like a virtual cable that connects the virtual docker bridge to the container's namespace.
Traffic coming from outside the host on port "88", will go through the bridge - docker0 - and it will be routed to the virtual interface of the container on port "80" as demonstrated in the below example:
Let's look at the below example:
Below is the command that allows us to do the port forwarding described above:
Port "88" : represents the host's port.
Port "80" : represents the container's port.
To see the virtual bridges on a system, we could use the below command:
Let's check the interfaces inside the nginx container:
We have among other interfaces, the virtual interface number 32 named eth0@if26 has the ID: 26.
We check the interfaces on the host and we see that the virtual interface vethfcc45a@if32on the host is linked to the virtual interface eth0@if26of the container as we can see below - interfaces on the host -:
The virtual interface vethfcc45a@if32 of the host and the virtual interface eth0@if26 in the container constitute the two ends of the virtual cable "veth".
The virtual interface vethfcc45a@if32 is connected to the virtual docker bridge - docker0 - which is also connected to the host's interface "eth0".
To allow containers to send packets outside of the host, we would need to allow masquerading - snat : Source Network Address Translation - using the postrouting iptables rules which are applied to a packet right before it leaves a network interface.
The snat - postrouting - rule are created for outgoing traffic, we could list then using the below command:
172.18.0.0/16 : is the pool of addresses assigned to the containers.
0.0.0.0/0 : represents any destination.
For the incoming packets to be able to reach the containers, docker creates a dnat - prerouting - rule as follows:
We map destination port "88" on the host to port "80" of the container.
The dnat rule modifies the destination data - address, port - of the packet.
The prerouting iptables rule are applied to a packet when it enters a network interface.