Address review comments.

robmry · robmry · commit ea7e170fd698 · 2025-08-26T14:55:07.000+01:00
- Note that publishing a port to an external host address
  does not restrict access to the interface with that address.
- Fix some formatting.

Signed-off-by: Rob Murray &lt;rob.murray@docker.com&gt;
diff --git a/content/manuals/engine/network/port-publishing.md b/content/manuals/engine/network/port-publishing.md
@@ -44,7 +44,7 @@ Here are some examples:
 > the outside world as well.
 >
 > If you include the localhost IP address (`127.0.0.1`, or `::1`) with the
-> publish flag, only the Docker host.
+> publish flag, only the Docker host can access the published container port.
 >
 > ```console
 > $ docker run -p 127.0.0.1:8080:80 -p '[::1]:8080:80' nginx
@@ -138,18 +138,31 @@ rules are still set up so that only published container ports are accessible.
 Outgoing packets from the container will use the container's address,
 not a host address.
 
-In `nat` mode, when a port is published to a specific host address, that
-port is only accessible via the host interface with that address. So,
-for example, publishing a port to an address on the loopback interface
-means remote hosts cannot access it.
-
-However, using direct routing, published container ports are always
-accessible from remote hosts, unless the Docker host's firewall has
-additional restrictions. Hosts on the local layer-2 network can set up
+To access a published port in a `routed` network, remote hosts must have
+a route to the container network via an external address on the Docker
+host ("direct routing"). Hosts on the local layer-2 network can set up
 direct routing without needing any additional network configuration.
 Hosts outside the local network can only use direct routing to the
 container if the network's routers are configured to enable it.
 
+In a `nat` mode network, publishing a port to an address on the loopback
+interface means remote hosts cannot access it. Other published container
+ports in `routed` and `nat` networks are always accessible from remote
+hosts using direct routing, unless the Docker host's firewall has additional
+restrictions.
+
+> [!NOTE]
+>
+> When a port is published to a specific host address in `nat` mode, if
+> IP forwarding is enabled on the Docker host, the published port can be
+> accessed via other host interfaces using direct routing to the host
+> address.
+>
+> For example, a Docker host with IP forwarding enabled has two NICs with
+> addresses `192.168.100.10/24` and `10.0.0.10/24`.
+> When a port is published to `192.168.100.10`, a host in the `10.0.0.0/24`
+> subnet can access that port by routing to `192.168.100.10` via `10.0.0.10`.
+
 In `nat-unprotected` mode, unpublished container ports are also
 accessible using direct routing, no port filtering rules are set up.
 This mode is included for compatibility with legacy default behaviour.
@@ -269,11 +282,12 @@ For example:
 
 > [!NOTE]
 >
-> - Setting the default binding address to `::` means port bindings with no host
-    >   address specified will work for any IPv6 address on the host. But, `0.0.0.0`
-    >   means any IPv4 or IPv6 address.
-> - Changing the default bind address doesn't have any effect on Swarm services.
-    >   Swarm services are always exposed on the `0.0.0.0` network interface.
+> Setting the default binding address to `::` means port bindings with no host
+> address specified will work for any IPv6 address on the host. But, `0.0.0.0`
+> means any IPv4 or IPv6 address.
+>
+> Changing the default bind address doesn't have any effect on Swarm services.
+> Swarm services are always exposed on the `0.0.0.0` network interface.
 
 ### Default bridge
 
