Greetings!
Since I am currently reading up on this subject myself (NAT vs. port forwarding) I thought I'd share a few things. Note that I am in no way an expert on this and corrections are greatly appreciated. Also I am not a native English speaker so please bear with my rather blunt explanations.
Having said the above I will now elaborate:
Your router is probably doing NAT which means "Network Adress Translation".
NAT is just a different form of port forwarding or routing in general (at least as far as Linux/iptables is concerned). What your router does is supposedly this: It accepts any connections from your client machines in your LAN that are meant for the internet. It then changes (translates) the source IP adress from the original client to your actual public internet adress. This way it will seem as though all connections of your clients are initiated by your router and not the PCs in your LAN. Your router also remembers these connections. Responses from internet servers will be adressed to your router. But as the router will recognize these connections, it will retranslate the destination IP to the client PC in your LAN that established the connection originally. That way all your clients can connect to any systems they like, but to the outside world (the internet) these connections will appear as though your router has established all these connections by itself. Your router is effectively hiding your LAN from the outside world.
(By the way, what happens here is only one form of NAT, namely SNAT (=Source NAT) or Masquerading (special form of SNAT for dynamic inet IPs). There is also DNAT (=Destination NAT) which has different purposes.)
Now what happens if any machine in the internet wants to establish a connection to one of your PCs, be it a port scan, an attempt to break security via buffer overflow or breaking a password or even just a legitimate try to access some service? The outside machine tries to establish a connection with your external IP adress. Thus your router will be the receiver of the packets. However normally your router will not accept any packets for itself but it will translate the receiver's adress and route it to the client PC in your LAN which estalished the connection. As you may have noticed, as this connection is established from the outside, none of your clients has established this connection and thus your router will be unable to tell where to route this connection to and will thusly drop it.
To make a long story short (ie if your skipped my long, confused explanation
), your NAT router is bound to drop any new connections that any machine from the internet attempts to initialize with any of the PCs in your LAN. So you may feel pretty safe actually.
Beware though, there may still be security hazards if you use port forwarding. Also mind what others have said about this topic: Don't feel completely safe unless you have deactivated any services you don't really need and unless you update your systems regularly.
Another thing, and this is
really important: Your hardware router is likely to have some sort of remote administration system. This may be via http, ssh or telnet. Make sure (= triple check) that you block any connections to these administration services from the internet because anyone could guess or brute force your passwords. Then all your efforts would be in vain because they could access any system in your LAN.
Again anyone is encouraged to correct or verify my claims.
Good night!