Master Docker Container Networking: 4 Modes, veth Pairs, and Advanced Config

Docker container networking

Docker automatically creates three default networks— bridge, host, and none —which can be listed with docker network ls. It uses a Linux bridge ( docker0) to assign each container a unique IP address (Container‑IP) and to act as the default gateway, allowing containers on the same host to communicate directly.

Four network modes

Bridge mode (the default) connects containers to the docker0 bridge, creating a virtual Ethernet pair (veth) for each container and exposing the container IP via the bridge.

Container mode shares the network namespace of an existing container, so the new container uses the same IP, ports, and network interfaces while keeping its filesystem isolated.

Host mode makes the container use the host's network namespace directly; the container shares the host's IP address and ports, providing the best network performance but no isolation.

None mode creates an isolated network namespace without any network interfaces except the loopback device; the container has no IP address or routing unless manually configured.

Bridge mode details

When Docker starts, it creates the virtual bridge docker0. Each container gets a veth pair: one end (eth0) inside the container, the other attached to the bridge on the host. The bridge works like a Layer‑2 switch, and brctl show can display its configuration.

Port mapping is performed with -p which adds DNAT rules in iptables to forward host ports to container ports.

Container mode illustration

Host mode illustration

None mode illustration and use cases

Typical scenarios for none mode include running isolated data‑processing containers or background compute tasks where network access is not required.

Network namespace commands (Linux)

The ip netns utility manages network namespaces. Example commands:

# ip netns list
# ip netns add ns0
# ip netns exec ns0 ip addr
# ip netns exec ns0 ip link set lo up
# ip netns exec ns0 ping 127.0.0.1

Creating and using veth pairs

A veth pair consists of two linked virtual Ethernet interfaces. Creating a pair:

# ip link add type veth
# ip a

Assign each end to a different namespace:

# ip link set veth0 netns ns0
# ip link set veth1 netns ns1
# ip netns exec ns0 ip link set veth0 up
# ip netns exec ns0 ip addr add 192.0.0.1/24 dev veth0
# ip netns exec ns1 ip link set veth1 up
# ip netns exec ns1 ip addr add 192.0.0.2/24 dev veth1

Ping between namespaces to verify connectivity.

Configuring Docker networks

Inspect a network:

# docker network inspect bridge

Create a custom bridge network:

# docker network create mynet -d bridge --subnet 192.168.2.0/24 --gateway 192.168.2.1

Run a container on the custom network:

# docker run -it --name c1 --network mynet busybox

Port mapping examples

Expose container port 80 on a random host port:

# docker run -dit --name web1 -p 192.168.203.138::80 httpd
# docker port web1
80/tcp -> 192.168.203.138:49153

Access the service via the host IP and mapped port.

Customizing the default bridge (docker0)

Edit /etc/docker/daemon.json to set a custom subnet:

{
  "bip": "192.168.1.5/24"
}

Reload and restart Docker:

# systemctl daemon-reload
# systemctl restart docker

Connecting to a remote Docker daemon

Use the -H flag to point the client at another host:

# docker -H 192.168.203.138:2375 ps

This article provides a comprehensive overview of Docker's networking capabilities, from default bridges and network modes to advanced namespace manipulation and custom network creation.