Containers inside the same host are connected through a virtual switch and for outside applications to be able to reach them, the ports of the containers are mapped to ports on the machine that is hosting them.
Each container is created in its own network namespace, and docker uses virtual network cables called veth to connect these network namespace through the virtual bridge called docker0, which is the default switch docker uses to connect its containers.
The eth0 interface of the container is connected to the virtual bridge/switch using the veth virtual cable.
To display the Linux bridges on the host, we could use the below command:
Show the virtual bridge and the veth interfaces that connect it to the containers.
To be able to reach the containers from the outside, iptables are used for masquerading the IP addresses.
The hosts changes the container's IP address in the outgoing packets with its address and does the opposite for the incoming packets.
Below we could see and example of the masquerading rules in iptables:
Masquerading happens for all the packets with a source IP address in the "172.17.0.0/16" rangeand external destination IP address.
POSTROUTING happens when a packet is about to leave the network interface. below we can see the docker0 bridge represented in Linux as a network interface:
Docker uses the docker0 bridge IP address range to assign IP addresses to its containers when they are created using the below command for example:
We can see from the above output, the container's network interface and its routing table.
The docker0 bridge gets by default the IP address "172.17.42.1", and docker gives its containers IP addresses in the "172.17.0.0/16" range.