Re: NAT won't block it.
NAT rewrites the apparent source address of outbound connections. An inbound connection is not an outbound connection, hence NAT does nothing to it.
Wrong. What NAT does is make your entire LAN appear to be a single host to the WAN. Everything trying to communicate with me does so by specifying my public IP address. Thus NAT has to modify the headers both inbound and outbound.
When 192.168.1.106 sends a packet the router changes the source address to be the public address of the router and updates its internal table of connection mappings then sends it out to the WAN.
When the router receives a packet from the WAN one of three things is done with it depending on the target address 'type':
* Private IP address - Dropped immediately. Least-wise I doubt anyone has ever implemented a NAT system that did anything other than immediately drop the packet since by definition it is invalid.
* Public IP address - if it doesn't match the router's, drop it.
* Public IP address - if it matches the router's then look in the connection mapping table for a match. If found change the destination address to be the private address of the initiating host and send the packet onto the LAN. If no match found in the table, give up and drop the packet.