So, assuming the router doesn't have any server running, the connection will be reset, thus protecting all of the machines behind the router from any incoming connection, almost exactly like a firewall (sure, a firewall might just drop the packet instead of responding with a RST). So, in other words, NAT alone can act like a security perimeter, even with no firewall present.

How does the router rejecting a connection to the router protect the machines behind the router? That doesn't make any sense.

Because no one on the Internet can reach my 192.168.0.7 machine if the NAT router doesn't translate the packet. And the NAT router won't send a packet that arrives with its public IP as dstIP to any machine behind it, unless the port its ports correspond to an open connection, or to an explicitly forwarded port.

You could turn NAT off completely and still no-one on the Internet could reach your 192.168.0.7. There's no security perimeter coming from NAT here.

> And the NAT router won't send a packet that arrives with its public IP as dstIP to any machine behind it

Yes, of course. The problem is when a packet arrives with the IP of a LAN machine.