Each Docker container has its own network stack. This is due to the Linux kernel NET namespace, where a new NET namespace for each container is instantiated and cannot be seen from outside the container or from other containers.
Docker networking is powered by the following network components and services.
- Linux bridges: These are L2/MAC learning switches built into the kernel and are to be used for forwarding.
- Open vSwitch: This is an advanced bridge that is programmable and supports tunneling.
- NAT: Network address translators are immediate entities that translate IP addresses and ports (SNAT, DNAT, and so on).
- IPtables: This is a policy engine in the kernel used for managing packet forwarding, firewall, and NAT features.
- AppArmor/SELinux: Firewall policies for each application can be defined with these.
Read more at Network Computing