Thanks for your reply, Wayne,
I think we have made an agreement on "The container can reach out to any IP and establish a TCP connection at will ",
However I am still confused with "the reverse traffic will be allowed because it initiated from within", can you explain more on this, or tell me where I am wrong below?
My point is that no matter what the reverse traffic is, it is a TCP packet with a destination port. When this packet reached DEA_host, the network kernel rule will handle this. And only TCP packets with specific port in DEA_host will be handled by DNAT, then the TCP packet will be forwarded to the container.
However an app starts an JDBC connection, it maybe fetch a random port, and this port has not been mapped in DEA_host.