"Container access to the outside world: "
Principle: NAT address translation
1. The physical machine can connect to the external network
2.docker run -it busybox
ip a
The container can access the external network
3. View the iptables strategy to understand the principle of the strategy
iptables -t nat -s
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
Receive a packet from this network segment, hand it to MASQUERADE, and then replace the source address of the packet with the address of the host host and send it out, which is to do a network source address translation (NAT)
4. Open a terminal to monitor the docker0 network card:
tcpdump -i docker0 -n icmp
5. In another terminal:
Ping Baidu into the container
docker run -it busybox
ping www.baidu.com
As a result, it was found that the IP address of the container was handed over to MASQUERADE for processing
6. End the previous terminal and run the monitoring physical machine network card
tcpdump -i ens33 -n icmp
It is found that the address of the container has been converted into the IP address of the physical machine.