What is Docker networking at a deep level (iptables, veth pairs)?

Docker networking is implemented using Linux networking primitives. When Docker creates a bridge network, it creates a Linux bridge (virtual network switch) — typically docker0 for the default bridge or br-xxx for user-defined networks. For each container, Docker creates a veth pair (virtual Ethernet pair) — a pair of connected virtual network interfaces. One end (eth0) goes into the container's network namespace; the other end (vethXXX) stays in the host namespace and is connected to the bridge. This creates a virtual cable between the container and the bridge. iptables rules implement port publishing and masquerade (NAT): (1) Docker chains: Docker adds chains to iptables (DOCKER, DOCKER-USER, DOCKER-ISOLATION) for routing and filtering; (2) DNAT: published ports (-p 8080:3000) create DNAT rules — traffic to host:8080 is translated to container-ip:3000; (3) MASQUERADE: outbound container traffic is masqueraded (SNAT) with the host IP so return traffic routes correctly. iptables -t nat -L DOCKER -n shows Docker's NAT rules. DNS: Docker runs an embedded DNS server at 127.0.0.11 inside containers on user-defined networks — resolves container and service names. Debug networking: ip addr, ip route, bridge link, nsenter -t $(docker inspect -f "{{.State.Pid}}" container) -n ip addr.