networking.md: Networking between containers works without ip_forward

Docker-DCO-1.1-Signed-off-by: Erik Inge Bolsø <knan@redpill-linpro.com> (github: knan-linpro)

docs/sources/articles/networking.md

@@ -170,12 +170,41 @@ above, will make `/etc/resolv.conf` inside of each container look like
 the `/etc/resolv.conf` of the host machine where the `docker` daemon is
 running.  The options then modify this default configuration.
 
+## Communication between containers and the wider world
+
+<a name="the-world"></a>
+
+Whether a container can talk to the world is governed by one main factor.
+
+Is the host machine willing to forward IP packets?  This is governed
+by the `ip_forward` system parameter.  Packets can only pass between
+containers if this parameter is `1`.  Usually you will simply leave
+the Docker server at its default setting `--ip-forward=true` and
+Docker will go set `ip_forward` to `1` for you when the server
+starts up.  To check the setting or turn it on manually:
+
+    # Usually not necessary: turning on forwarding,
+    # on the host where your Docker server is running
+
+    $ cat /proc/sys/net/ipv4/ip_forward
+    0
+    $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
+    $ cat /proc/sys/net/ipv4/ip_forward
+    1
+
+Many using Docker will want `ip_forward` to be on, to at
+least make communication *possible* between containers and
+the wider world.
+
+May also be needed for inter-container communication if you are
+in a multiple bridge setup.
+
 ## Communication between containers
 
 <a name="between-containers"></a>
 
 Whether two containers can communicate is governed, at the operating
-system level, by three factors.
+system level, by two factors.
 
 1.  Does the network topology even connect the containers' network
     interfaces?  By default Docker will attach all containers to a
@@ -183,32 +212,14 @@ system level, by three factors.
     between them.  See the later sections of this document for other
     possible topologies.
 
-2.  Is the host machine willing to forward IP packets?  This is governed
+2.  Do your `iptables` allow this particular connection to be made?
-    by the `ip_forward` system parameter.  Packets can only pass between
-    containers if this parameter is `1`.  Usually you will simply leave
-    the Docker server at its default setting `--ip-forward=true` and
-    Docker will go set `ip_forward` to `1` for you when the server
-    starts up.  To check the setting or turn it on manually:
-
-        # Usually not necessary: turning on forwarding,
-        # on the host where your Docker server is running
-
-        $ cat /proc/sys/net/ipv4/ip_forward
-        0
-        $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
-        $ cat /proc/sys/net/ipv4/ip_forward
-        1
-
-3.  Do your `iptables` allow this particular connection to be made?
     Docker will never make changes to your system `iptables` rules if
     you set `--iptables=false` when the daemon starts.  Otherwise the
     Docker server will add a default rule to the `FORWARD` chain with a
     blanket `ACCEPT` policy if you retain the default `--icc=true`, or
     else will set the policy to `DROP` if `--icc=false`.
 
-Nearly everyone using Docker will want `ip_forward` to be on, to at
+It is a strategic question whether to leave `--icc=true` or change it to
-least make communication *possible* between containers.  But it is a
-strategic question whether to leave `--icc=true` or change it to
 `--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in
 `/etc/default/docker` and restarting the Docker server) so that
 `iptables` will protect other containers — and the main host — from