Container Networking From Scratch: Linux Bridge Networking

Summary

A hands-on tutorial that demystifies container networking by building it from scratch using only standard Linux primitives: network namespaces, virtual Ethernet pairs (veth), bridges, IP routing, and iptables NAT. The core thesis is that container networking is not special technology — it is the composition of basic Linux kernel facilities that have existed for years. Understanding these primitives explains Docker’s internal behavior and provides the foundation for Kubernetes networking.

一篇從零開始建構容器網路的實作教學，只使用標準 Linux 原語：網路命名空間、虛擬乙太網對（veth）、橋接器、IP 路由以及 iptables NAT。核心論點是：容器網路並非特殊技術，而是多年來既有的 Linux 核心設施的組合。理解這些原語能解釋 Docker 的內部行為，也是學習 Kubernetes 網路的基礎。

Key Points

• Network Namespaces: each container gets an isolated netns with its own devices, routing tables, and firewall rules — ip netns add / nsenter are the key commands
• veth pairs: act as “tunnels” between namespaces; one end in host namespace, peer end moved into container namespace via ip link set ceth0 netns netns0
• Bridge (virtual switch): Layer 2 device that connects multiple veth interfaces; containers attach their veth to the bridge and communicate without explicit IP routing between them
• IP forwarding + MASQUERADE: enable containers to reach external networks; host acts as router, NAT rewrites container source IPs to host’s external IP
• DNAT (port publishing): iptables PREROUTING rule redirects external traffic on a host port to a container IP:port — this is exactly what docker -p 8080:80 does under the hood
• Docker network modes: bridge (default, uses above), host (no isolation), none (loopback only)
• All of Docker/Kubernetes networking is built on these same Linux primitives

Insights

• “Container networking emerges from combining basic Linux facilities rather than specialized container technology” — this reframe matters: if you understand ip, iptables, and namespaces, you understand container networking; Docker is a UX layer, not a new networking paradigm
• The build-from-scratch approach is the most effective way to learn this: watching iptables -L -n -t nat before and after a docker run -p reveals exactly what Docker does, which no documentation explains as clearly
• This connects directly to the DevOps 6-month roadmap (Month 2: networking fundamentals) and Linux memory management article in this vault — container networking is Month 2-4 material where networking theory meets Linux system knowledge
• Kubernetes networking (CNI plugins like Calico, Flannel) builds on exactly this: they automate the veth/bridge/routing setup across multiple hosts; understanding single-host bridge networking makes multi-host CNI comprehensible
• The iptables MASQUERADE rule is the same mechanism used in home routers for NAT — recognizing this cross-domain pattern is valuable

Connections

• Linux
• Docker
• Kubernetes
• Networking
• How to Learn Devops Engineering in 6 months
• Linux Crash Course - Memory Management
• DevOps
• iptables

Raw Excerpt

The tutorial emphasizes that container networking emerges from combining basic Linux facilities rather than specialized container technology.