Docker creates a MASQUERADE iptables rule for every container that has an exposed port (in this example I have 5 containers with exposed port 3500):
sudo iptables -t nat -L -v -n
<snip>
Chain POSTROUTING (policy ACCEPT 42 packets, 2650 bytes)
pkts bytes target prot opt in out source destination
<snip>
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:3500
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:3500
0 0 MASQUERADE tcp -- * * 172.17.0.4 172.17.0.4 tcp dpt:3500
0 0 MASQUERADE tcp -- * * 172.17.0.5 172.17.0.5 tcp dpt:3500
0 0 MASQUERADE tcp -- * * 172.17.0.7 172.17.0.7 tcp dpt:3500
<snip>
If I understand things correctly, this means that when we have a packet with source and destination equal and destined for the docker container, the MASQUERADE target should apply. But when would this happen?
Best Answer
Although this thread is older, this question has now been answered here:
https://stackoverflow.com/questions/46802089/cant-understand-docker-iptables-rule
In short - This is supposed for an edge case, in most cases, what interests you is this rule:
e.g.: