In the previous section, we saw how a -p 80:80 option did the magic, didn't we? Well, in reality, under the hood, the Docker Engine achieves this seamless connectivity by automatically configuring the Network Address Translation (NAT) rule in the Linux iptables configuration files.

To illustrate the automatic configuration of the NAT rule in Linux iptables, let's query the Docker hosts iptables for its NAT entries, as follows:

$ sudo iptables -t nat -L -n  

The ensuing text is an excerpt from the iptables NAT entry, which is automatically added by the Docker Engine:

Chain DOCKER (2 references)
target     prot opt source            destination
DNAT       tcp  --  0.0.0.0/0         0.0.0.0/0            tcp dpt:80 to:172.17.0.14:80

From the preceding excerpt, it is quite evident that the Docker Engine has effectively added a DNAT rule. The following are the details of the DNAT rule:

• The tcp keyword signifies that this DNAT rule applies only to the TCP transport protocol.
• The first 0.0.0.0/0 address is a meta IP address of the source address. This address indicates that the connection can originate from any IP address.
• The second 0.0.0.0/0 address is a meta IP address of the destination address on the Docker host. This address indicates that the connection can be made to any valid IP address in the Docker host.
• Finally, dpt:80 to:172.17.0.14:80 is the forwarding instruction used to forward any TCP activity on port 80 of the Docker host to be forwarded to the 172.17.0.17 IP address, the IP address of our container and port 80.