A NAT router typically acts as an intermediary between devices on private address ranges and the rest of the Internet. These private addresses are not routed anywhere on the Internet:
10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
Any site is permitted to use one or more of these address ranges for their own purposes. However, without NAT, devices on these private networks would not be able to access or be accessed by devices on the Internet.
If you can reach sites on the Internet, but you have an address on one of the private address ranges, you're behind a NAT router.
There are several types of NAT described in the NAT RFC. The most common use is to "hide" an entire network of devices with private addresses behind a single routable address. A NAT router, either a computer or a dedicated hardware "appliance" has connections both to the Internet and to a network with a private address range. As mentioned previously, devices on private networks cannot by themselves access information on the Internet. A NAT acts as an intermediary as follows:
What would happen if a device on the Internet tried to contact a device on the private network behind a NAT router? It can't contact devices on the private net directly, because no Internet router will forward packets with private network addresses. It could try to send packets to the NAT router, but the NAT router has no way of knowing which device on the private network should receive the information, so the packets are simply dropped. This basically gives NAT routers a firewall functionality with minimal configuration on the user's part.