I understand these things quite well, as I wouldnt be in the field if I didnt. NAT provides some degree of security in the sense that if you are on an IPv4 network (99% of home users) on an RFC 1918 network (99% of home users) with NAT enabled, it is impossible for anyone to send an unsolicited datagram to your computer behind the NAT.
There are technologies which punch holes in this (like uPnP), but that does not change the implicit security.
NAT in a typical Linux based router does not prevent someone on the external interface from talking to any port and any host on the internal network
Then you have a static port mapping. Generally to get through the NAT you need to know the public IP and port (out of 65536) you want to connect to, which is dynamically assigned. Then you need to deal with the fact that anything you send is going to be pinned to a specific client port not of your choosing, and you will not know the correct source port to get the client to accept your unsolicited datagram (whch will thence be dropped).
I never said it was perfect security, but it prevents folks from accessing listening ports (like 135-139) as a listener port wont have a dynamic mapping-- only outbound traffic gets those.
But you seem to think Im wrong, so educate me. Lets set up a scenario.
Gateway Public: 1.2.1.1
Gateway private: 192.168.50.1
Windows XP box: 192.168.50.5
No firewalls, NAT on the gateway, Windows XP listening on port 135-139.
What Layer3/4 headers are you going to use thats gonna get a packet delivered to one of those 4 ports on that XP box?