EDIT: Quoting @Kid_Thunder@kbin.social from elsewhere in the thread because they summed it up beautifully:

NAT provides some security by sheer coincidence and not by design.

---

NAT is not security.

NAT is a stop-gap measure because there aren’t enough IPv4 addresses that exist in the world. NAT was created so multiple Local Area Networks all over the world could use the same IP numbers and not end up with IP conflicts.

Way way way back in the early days of the internet, there were no LAN IP and WAN IPs You had your Wide Area Network (Internet) IP and that was it. Prior to NAT all devices were directly accessible via their WAN IP on the whole ass internet.

To give you an idea, IPv4 came out in 1980 and it wasn’t until May of 1994 that the first RFC on NAT was published.

IPv6 is a full replacement for IPv4 that has not been fully adopted despite being around for 20 years or so. It has something like 16 undicillion (I don’t recall, it’s a fucking massive number) existing IP numbers, so it could take a few generations for it to run out of address space.

The thing is, it’s come full circle and IPv6 now is the same as IPv4 used to be and you can access a “local” IP directly from the wider internet and Network Address Translation is not needed in the routing setup at all. (I believe it’s called a Global Unicast Address, but it’s been a minute, so don’t quote me on that)

I reiterate NAT was never meant as a real security measure as it is simply Security Through Obscurity at best.

Further, it’s not even that obscure, NAT is often misconfigured meaning internal IPs and ports leak to the wider internet regularly.

Obligatory South Park Ski Instructor:

https://en.wikipedia.org/wiki/Network_address_translation

https://en.wikipedia.org/wiki/Internet_Protocol_version_4

https://en.wikipedia.org/wiki/Internet_Protocol_version_4#Address_space_exhaustion

https://en.wikipedia.org/wiki/IPv6_address

https://en.wikipedia.org/wiki/IPv6_address#Unicast_addresses