What is this MASQUERADE line meaning in iptables?

walterxj · June 13, 2016, 10:27am

hi:~
I run the command “docker run -it -p 222:22 --name centos-test centos /bin/bash” and then I find two new iptables entries in nat table:
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 172.17.0.3:22
the seconed entry is easy to understand,but I’m confused with the first entry,in my comprehension,it’s source and destination are the same(the container’s ip),so the network flow need not to be MASQUERADE to the outside networks.Then what’s the use of it?
I’m not very familiar with iptables,thanks in advance.

walterxj · June 16, 2016, 2:41am

Here is my test environment,can anybody give me some hints?
CentOS Linux release 7.2.1511 (Core)
Client:
Version: 1.11.1
API version: 1.23
Go version: go1.5.4
Git commit: 5604cbe
Built: Wed Apr 27 00:34:42 2016
OS/Arch: linux/amd64

Server:
Version: 1.11.1
API version: 1.23
Go version: go1.5.4
Git commit: 5604cbe
Built: Wed Apr 27 00:34:42 2016
OS/Arch: linux/amd64