Frequently Asked Question

How does container networking work, bridge, host, and beyond?

By default Docker and Podman put each container in its own network namespace; its own loopback, its own routing table, its own interfaces, and connect that namespace to the outside world through a virtual ethernet pair (veth). One end of the pair sits in the container; the other plugs into a software bridge on the host (docker0 by default). The host runs an iptables/nftables NAT rule that masquerades container traffic out through the real interface, and a port-publish flag (-p 8080:80) adds a DNAT rule that forwards inbound host port 8080 to the container's port 80. That is bridge mode, and it is what you get if you do nothing.

Host mode (--network=host) skips the namespace entirely: the container shares the host's network stack, so localhost is the host's loopback and there is no NAT or port mapping. It is faster but offers no isolation. None mode (--network=none) gives the container only its own loopback and no external connectivity, useful for sandboxed batch jobs. Overlay networks (used by Docker Swarm and Kubernetes via CNI plugins like Flannel, Calico, or Cilium) extend a single virtual network across multiple hosts using VXLAN or eBPF. For most local work, bridge is the right default; container orchestrators take care of the rest.