How does the docker container connect to a port on the host?

Question

My question is very similar to this(From inside of a Docker container, how do I connect to the localhost of the machine?).

I tried to use --network="host" to connect to the host's 8118 proxy, but this is not what I want. I still want to use the bridge mode. In fact, I feel that docker's bridging is similar to NAT in the traditional sense.The virtual switch docker0 installed on the host, the different containers rely on this switch to communicate with each other, and the container can also ping the host, in theory, can communicate with the host and access its open port, but in fact it can't, I don't know why, who can help me? (The ping protocol is based on tcp, it also means that 20/21 ports are reachable.why unreachable for 8118?)

Ok, I may have found the reason, the port is to be monitored, I will try to change the monitoring of the host agent software.

The following is my attempt, the container can not successfully connect to the 8118 proxy port on the host:

The terminal on the left is my host, and on the right is my docker container

host:

VirtualBox-centos7 (ip:192.168.125.95, shadowsocks[127.0.0.1:1080], privoxy[127.0.0.1:8118]): wget is ok.

docker:

a container setting http_proxy=192.168.125.95:8118... and wget get an error:No route to host,then I turn off the firewall and try again get another error:Connection refused.

docker container:

root@bee1d2892df4:/go# ip route show
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2 
root@bee1d2892df4:/go# ip add                 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
23: eth0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
root@bee1d2892df4:/go# telnet 172.17.0.1 8118 
Trying 172.17.0.1...
telnet: Unable to connect to remote host: Connection refused
root@bee1d2892df4:/go# telnet 192.168.125.95 8118
Trying 192.168.125.95...
telnet: Unable to connect to remote host: Connection refused
root@bee1d2892df4:/go# 

host:(This should be useless, my iptables should not be started.)

[root@localhost shadowsocks]# iptables -A INPUT -i docker0 -j ACCEPT
[root@localhost shadowsocks]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
2    DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
8    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
10   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain DOCKER (2 references)
num  target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination         
1    DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
2    DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
3    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
3    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0        

Answer 1

Solution:

echo 'listen-address  172.17.0.1:8118' > /usr/local/etc/privoxy/config 
service privoxy restart
netstat -nltp|grep 8118
tcp        0      0 172.17.0.1:8118         0.0.0.0:*               LISTEN      27154/privoxy       
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN      27154/privoxy

ps: I made a very low-level mistake, I need to learn the principle of the system, I have a lot of misunderstandings, a service is not said to be able to ping ip can be used, the role of the port is used to monitor and accept packets, pingPassing only represents tcp port monitoring no problem (may be 0.0.0.0), but the third-party service must pay attention to.

Answer 2

If you can, yum install strace. Then run wget again with strace in front. so,

strace -f wget .........

Look for the system level failure message. Don't forget wget --debug as well.

Another thing to consider is what user is each of these examples running as. Are they different users when you run wget directly etc?