Docker Container Network Modes and Configuration Guide

Docker automatically creates three default networks (bridge, host, none) that can be listed with docker network ls . The bridge mode is the default and provides a virtual bridge (docker0) on the host; containers receive IP addresses from this bridge and can communicate directly via their Container‑IP.

Docker's Four Network Modes

Mode

Configuration

Description

host

--network host

Container shares the host's network namespace and uses the host's IP and ports.

container

--network container:NAME_OR_ID

Container shares the network namespace of another container (shared IP, ports).

none

--network none

Container gets its own network namespace but no network interfaces are configured.

bridge

--network bridge

(default)

Creates a virtual Ethernet pair (veth) connected to the host's

docker0

bridge.

Bridge mode creates a virtual bridge docker0 on the host. Each container gets a veth pair: one end inside the container (eth0) and the other attached to docker0 . Port mapping with -p hostPort:containerPort adds DNAT rules via iptables so external traffic can reach the container.

Container mode shares the network namespace of an existing container. The new container does not get its own IP; it uses the same IP and ports as the referenced container, while file‑system isolation remains.

Host mode disables network isolation entirely; the container uses the host's network stack directly, providing the best performance but no port isolation.

None mode gives the container an isolated namespace with only a loopback interface. Users must manually add interfaces and configure IP addresses if needed.

Creating Custom Bridges and veth Pairs

Custom bridges can be created with docker network create -d bridge --subnet "192.168.2.0/24" --gateway "192.168.2.1" mybridge . Containers attached to this network receive IPs from the specified subnet.

Linux network namespaces can be managed with ip netns commands. Example workflow:

# Create namespaces
ip netns add ns0
ip netns add ns1
# Create a veth pair
ip link add type veth
# Move ends into namespaces
ip link set veth0 netns ns0
ip link set veth1 netns ns1
# Assign IPs and bring up interfaces
ip netns exec ns0 ip addr add 192.0.0.1/24 dev veth0
ip netns exec ns0 ip link set veth0 up
ip netns exec ns1 ip addr add 192.0.0.2/24 dev veth1
ip netns exec ns1 ip link set veth1 up
# Test connectivity
ip netns exec ns0 ping -c 2 192.0.0.2

These steps demonstrate how containers in different namespaces can communicate via a veth pair.

Common Container Operations

View container hostname: docker run --rm busybox hostname

Set custom hostname: --hostname myhost

Specify DNS server: --dns 8.8.8.8

Add host‑to‑IP mapping: --add-host example.com:1.2.3.4

Expose ports: -p 8080:80 (static) or -p 80 (dynamic). Use docker port CONTAINER to view mappings.

Docker automatically creates and removes the necessary iptables NAT rules when containers start and stop.