docker · thaJeztah · Oct 15, 2025 · Oct 15, 2025
@@ -31,7 +31,8 @@ and the concepts around container networking.
 
 When Docker Engine on Linux starts for the first time, it has a single
 built-in network called the "default bridge" network. When you run a
-container with no `--network` option, it is connected to the default bridge.
+container without the `--network` option, it is connected to the default
+bridge.
 
 Containers attached to the default bridge have access to network services
 outside the Docker host. They use "masquerading" which means, if the

@@ -113,7 +113,7 @@ $ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.0.2.1-192.0.2.3
 ```
 
 You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both
-the source and destination. For instance, if the Docker host has addresses
+the source and destination. For example, if the Docker host has addresses
 `2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to
 `2001:db8:1111::2` and leave `2001:db8:2222::2` open.
 
@@ -128,5 +128,5 @@ external address ranges.
 $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
 ```
 
-For more detailed information about iptables configuration and advanced usage,
+For more information about iptables configuration and advanced usage,
 refer to the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html).
@@ -10,7 +10,8 @@ keywords: network, nftables, firewall
 > Support for nftables introduced in Docker 29.0.0 is experimental, configuration
 > options, behavior and implementation may all change in future releases.
 > The rules for overlay networks have not yet been migrated from iptables.
-> So, nftables cannot be enabled when the daemon has Swarm enabled.
+> Therefore, nftables cannot be enabled when the Docker daemon is running in
+> Swarm mode.
 
 To use nftables instead of iptables, use Docker Engine option
 `--firewall-backend=nftables` on its command line, or `"firewall-backend": "nftables"`
@@ -37,11 +38,13 @@ Each table contains a number of [base chains](https://wiki.nftables.org/wiki-nft
 and further chains are added for each bridge network. The moby project
 has some [internal documentation](https://github.com/moby/moby/blob/master/integration/network/bridge/nftablesdoc/index.md)
 describing its nftables, and how they depend on network and container
-configuration. But, the tables and their rules are likely to change between
-Docker Engine releases.
+configuration. However, the tables and their rules are likely to change
+between Docker Engine releases.
 
-Do not modify Docker's tables directly as the modifications are likely to
-be lost, Docker expects to have full ownership of its tables.
+> [!NOTE]
+>
+> Do not modify Docker's tables directly as the modifications are likely to
+> be lost, Docker expects to have full ownership of its tables.
 
 > [!NOTE]
 >
@@ -119,7 +122,7 @@ unwanted forwarding. Docker's bridges are in a firewalld zone called
 `docker`, it creates a forwarding policy called `docker-forwarding` that
 accepts forwarding from `ANY` zone to the `docker` zone.
 
-As an example, to use nftables to block forwarding between interfaces `eth0`
+For example, to use nftables to block forwarding between interfaces `eth0`
 and `eth1`, you could use:
 
 ```console
@@ -268,5 +271,5 @@ table ip my-table {
 }
 ```
 
-For more detailed information about nftables configuration and advanced usage,
+For more information about nftables configuration and advanced usage,
 refer to the [nftables wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page).
@@ -5,8 +5,8 @@ description: Accessing container ports
 keywords: network, iptables, firewall
 ---
 
-By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not
-been published. Published container ports are mapped to host IP addresses.
+By default, for both IPv4 and IPv6, the Docker daemon blocks access to ports that
+have not been published. Published container ports are mapped to host IP addresses.
 To do this, it uses firewall rules to perform Network Address Translation (NAT),
 Port Address Translation (PAT), and masquerading.