I'm talking about the fact that there is a manual form of routing. In other words, if you have some kind of server that is behind your nat and you think that there is no way to get through to it from the outside because you have not configured port forwarding. You're wrong, I'll get to him. Since you have an external NAT...
... label routing allows the packet to be forwarded to your server.

One story is more surprising than the other, especially about manual routing and label routing (what is it?).

You're wrong, I'll get to him.

First, such statements (of the "I'll get through" level) are usually reformulated into more neutral ones after an insistent request to demonstrate what is stated in practice. Secondly, the speaker forgot to clarify the meaning of the word "I will break through." What does it mean? Will the packet from the Internet reach the server? Which, which port is the encapsulated segment intended for? What will be the effect? The fact that the speaker understands that NAT and the firewall are different things is very good, it's a pity that the argument is not flawless.

How to connect to computer port 4321 192.168.1.10

This is possible in the following case. The client 192.168.1.10 establishes a connection to the web server 2.2.2.2 using port 4321 on its side (it happens to be a coincidence). On the navigating device with the globally routable address 1.1.1.1, a translation of the form ( 192.168.1.10 ,tcp, 4321 )->(1.1.1.1, tcp, 31337) is created. The web server sees the client with address 1.1.1.1, source port 31337, sends data to it (segments inside packets), which, after nating, are actually sent to the client 192.168.1.10 , tcp port 4321 . Further, if there is an attacker 3.3.3.3 who really needs to send a tcp segment (inside an Ip packet) to client 192.168.1.10 on port 4321, then it specifies a static route (see I'm talking about the fact that there is a manual form of routing ) to 192.168.1.10/32 (the length of the prefix is ​​not important, in my opinion) through 1.1. tcp-port to send a segment so that it is correctly configured. If 3.3.3.3 and 2.2.2.2 interact (exchange information), it will send to port 31337 . If not, then it is more logical to send evenly to all ports and hope for good luck.
As you probably guessed, it's a little naive to expect that you can easily send a segment to any port of any host behind NAT. On the other hand, believing that you are like a stone wall behind NAT is also naive.
Also, the introductory notes are a little unclear. If a vulnerable service hangs on port 4321 and you want to exploit this vulnerability, then the above scheme is unlikely to be implemented unless this service sends data (bytes inside segments inside packets) to the Internet. Because if he does not do this, then there will be no translation to NAT. Unless the NAT has bugs or you don't have an agent behind the same NAT that, by forging addresses, will achieve the creation of a translation ( UPnP as an option). As you can see, there are many variations.
TL;DR: Nat is not a security feature .

Outside, nothing. This is a clear attack on the network =)
The link did not open, I can not comment. Perhaps he is talking about UPnP when the computer adds NAT rules to the router itself, but again, this is only inside the network.

Exactly what is the problem?
VPN with white ip on the client.

Well, if there is a Trojan on the computer behind NAT, then it's as easy as shelling pears, it's enough to go to the STUN server from it and continue to communicate via p2p.
Or use UDP Hole Punching.
In general, in theory, you can create such a TCP packet that will be unpacked on the router and sent to the desired address on the desired port within the network. Another question is where to find such a router that will not check / filter the tcp session for existence. Such routers ceased to be produced in 2007.