请参见代理所有容器:

主机服务器运行一个容器，该容器运行可以进行透明代理的代理(在这种情况下为鱿鱼).该容器具有一些iptables规则，可将NAT流量传输到代理服务器-这意味着该容器需要在特权模式下运行.

Host server runs a container running a proxy (squid, in this case) that can do transparent proxying. That container has some iptables rules that NAT traffic into the proxy server - this means that container needs to run in privileged mode.

主机服务器还包含ip路由表条目(这是神奇的地方)，它们通过代理容器重新路由来自除目的地为端口80的代理之外的任何容器的所有流量.

Host server also contains (and here's the magic) ip route table entries that re-route all traffic from any container but the proxy that was destined for port 80, through the proxy container.

最后一点本质上意味着对于端口80的流量，从容器到世界其他地方的路由通过代理容器-使其有机会进行NAT和透明代理.

That last bit essentially means that for port 80 traffic, the route from container to the rest of the world goes through the proxy container - giving it the chance to NAT and transparent proxy.

https://github.com/silarsis/docker-proxy