Skip to main content

Docker Networking

Network Types

  • None : Nothing goes in. Nothing goes out. Containers cannot reach each other
  • Host : Container is attached to the host network. No network isolation. A container running on port 80 is also listening on the host's port 80 as well
  • Bridge : Internal private network 172.17.0.0

Docker network bridges

When Docker is installed on the host it creates a bridge network on the host docker0 and assigned address 172.17.0.1/24

ip link add docker0 type bridge
# Interface is down by default!

When a container is created, Docker creates a network namespace for the container.

To see the namespace Docker will assign:

docker inspect {container_name} \
  | jq -r '.[0].NetworkSettings.SandboxID' \
  | awk '{print substr($1,1,12)}'

See the container's IP address

ip -n {namespace} addr

The interface names form a pair if12 & if11 with odd & even numbers. Evens attached to containers, and odds are the address on the bridge.

Opening ports

When you open a port using docker run...

docker run -p 8080:80 nginx

docker will:

iptables \
  -t nat \
  -A DOCKER \
  -j DNAT \
  --dport 8080 \
  --to-destination 172.17.n.n:80

See Docker's rules : iptables -nvL -t nat