Search tools and guides ⌘K
15 · 11 steps
Visualize / 15

Docker networking.

You run a container. You can curl out, and if you publish a port the outside can reach in. How? Linux network namespaces give each container its own isolated network stack. Veth pairs connect those namespaces to a virtual switch called docker0. iptables rules quietly rewrite packets at the boundary. Nothing magical — just a handful of standard kernel features wired together. Watch it happen.

step 1 / 11
scenario docker run nginx · docker run redis · docker run -p 8080:80 api default bridge network · single host · 3 containers · 3 packet flows
HOST KERNEL
BRIDGE
CONTAINER NETNS
iptables NAT
HOST NETWORK NAMESPACE · kernel routing + iptableseth0192.168.1.10 to LAN / WANiptables · nat table— no Docker rules yet —host routingdefault via 192.168.1.1 dev eth0172.17.0.0/16 dev docker0 src 172.17.0.1192.168.1.0/24 dev eth0 src 192.168.1.10127.0.0.0/8 dev lo src 127.0.0.1 — docker0 not yet created — — not yet created — — not yet created — — not yet created —
Just the host · one NIC · nothing else

A Linux box with one network interface (eth0 on 192.168.1.10), connected to your LAN. No containers, no bridge, no namespaces yet. This is the starting point. Everything we're about to build is configured by the Docker daemon when it starts up and when you run containers.

Network namespace
A Linux kernel feature: an isolated copy of the network stack. Each namespace has its own interfaces, routing table, iptables rules, ARP cache. A container gets its own netns — that's what makes it think it owns "eth0."
Bridge
A virtual L2 switch in the Linux kernel. Frames sent to one bridge port get flooded/forwarded to the others, just like a real Ethernet switch. docker0 is the default Docker bridge.
veth pair
Two virtual ethernet interfaces hardwired together at the kernel level. Send a frame into one end, it comes out the other. The two ends live in different namespaces — that's how a container talks to the host.

Try it yourself · the unboxed version

Everything we just showed is exposed in the standard Linux tooling. From the host:

  • ip netns list — Docker does not register its namespaces with the standard netns mountpoint by default, but a quick symlink (ln -s /proc/<pid>/ns/net /var/run/netns/<name>) lets you treat them like any namespace.
  • ip link show — see docker0 and all the veth* interfaces.
  • ip link show master docker0 — see which veths are attached to the bridge.
  • iptables -t nat -L -n -v — see the MASQUERADE and DNAT rules Docker installs.
  • conntrack -L — watch NAT\'d connections (install conntrack-tools).
  • nsenter -t <container-pid> -n ip addr — peek inside the container\'s network namespace from the host.

User-defined networks · DNS for free

The default bridge has a famously poor feature: containers can\'t reach each other by name, only by IP. The fix is to create a user-defined network: docker network create mynet, then docker run --network mynet --name api .... Containers on a user-defined bridge get their own embedded DNS server at 127.0.0.11. ping api from another container on mynet just works — Docker maintains the name → IP mapping.

User-defined networks also isolate by default: containers on different networks can\'t reach each other unless you attach them to both. The default bridge network is more permissive (legacy reasons). Production setups always use user-defined networks.

Network modes side by side

  • bridge (default). What we walked through. Container has its own netns, attached to a bridge via veth, gets NAT for outbound. Isolated, port mapping required for ingress.
  • host. --network host. Container shares the host\'s netns. No NAT, no veth, no isolation. Faster (especially for high packet rates) but the container can grab any port and see all host interfaces. Useful for proxies and load balancers.
  • none. --network none. Empty netns — only loopback. No network at all. Batch jobs, sandboxes.
  • container:<name>. Share another container\'s netns. Sidecar pattern (Kubernetes pods are built on this: all containers in a pod share one netns).
  • overlay. Multi-host. Wraps container packets in VXLAN UDP, ships them across the underlay. Used by Docker Swarm and many Kubernetes CNI plugins.
  • macvlan. Container gets a unique MAC address and looks like a real device on your LAN. No NAT, full L2 visibility. Good when you need containers to appear on the same broadcast domain as other LAN hosts.

Performance · what the abstraction costs

Bridge networking adds a few microseconds of latency per packet and a few percent of CPU at moderate rates. At very high packet rates (1M+ pps) the bridge and iptables start to show — kernel CPU time for forwarding and conntrack table maintenance climbs sharply. Host networking eliminates all of it. SR-IOV (giving the container direct hardware access to a NIC virtual function) goes further still.

conntrack table size is a sneaky production issue. Default is a few hundred thousand entries. A busy reverse proxy can fill it; new connections then get dropped silently. Bumping net.netfilter.nf_conntrack_max is one of those Linux tuning knobs every SRE eventually learns about.

How Kubernetes builds on all this

A Kubernetes Pod is roughly "a group of containers sharing one network namespace." That\'s the same --network container:<name> mode Docker has. The Pod gets one IP; all containers inside share it and talk via localhost. Cross-Pod networking is the job of a CNI plugin (Calico, Cilium, Flannel, Weave, AWS VPC CNI). Most of them work by giving each Pod a routable IP from a cluster CIDR, then making sure those IPs are reachable across nodes — sometimes with overlays (VXLAN), sometimes with native routing (BGP), sometimes by piggy-backing on cloud provider VPC routes.

Services in Kubernetes (the virtual IPs that load-balance across Pods) are implemented by kube-proxy writing iptables rules — or by IPVS for high-scale clusters — that DNAT service IPs to one of the backing Pod IPs. Same mechanism as -p 8080:80, just programmatically maintained as Pods come and go.

What this simplifies

  • No firewall rules. Real Docker also writes FORWARD chain rules in the filter table to permit container traffic through the bridge.
  • No IPv6. Docker can do IPv6 with its own subnet and rules; the visual would double in size.
  • No DNS. The embedded DNS server at 127.0.0.11 inside user-defined networks is its own little ARP-rewriting trick that needs its own diagram.
  • Single host. Multi-host (overlay, macvlan, swarm) brings VXLAN headers and extra hops we didn\'t draw.
  • Linux only. Docker on Mac and Windows runs the container inside a small Linux VM. The networking story we showed is happening inside that VM; another layer of port forwarding bridges to your laptop.
Related concepts
Visualizations
In the Codex
Sources & further reading
  1. docs Docker — Networking overview
  2. post GeeksforGeeks — Basics of Docker Networking
  3. docs network_namespaces(7) — Linux manual
Go deeper

Networking Codex →

Linux bridge internals, conntrack and stateful NAT, VXLAN overlays, CNI plugin architectures, eBPF-based networking (Cilium), service mesh data planes.

Open the Codex →
Related Concepts Related Concepts
Visualize API Gateway Visualize Bloom Filter Visualize Browser Render Visualize Btree Split Visualize Call Stack Visualize Closures Visualize Compiler Pipeline Study Path Visualize — overview
Found this useful?