Let's say I want to have a server on my computer at port 1234, so that other hosts on the Internet can connect to it. I am behind a router NAT, so I configure the router to forward connections to 1234 to my LAN ip address. I use some service like this or this to check if it is really open, cranking in my Internet IP and port number. It says that my port is open, and in fact at the same time the server receives a connection:
# nc -vv -l -p 1234 listening on [any] 1234 ... connect to [192.168.0.7] from ec2-52-202-215-126.compute-1.amazonaws.com [18.104.22.168] 37873 sent 0, rcvd 0
But when I try to connect to myself with my Internet IP, it timeouts. If I do not listen on the port, the connection is simply refused, as it should be. If I listen, it is ignored:
# nc -vv -l -p 1234 &  6869 # nc 95.252.xxx.xxx 1234
And it just hangs there. (Of course, if I use instead the LAN IP it works fine).
Moreover, I notice that some hosts also cannot connect to my server: the original purpose of this arrangement was to quickly send commands to a friend of mine who often phones me and asks me to fix something on his computer, and who does not want to use software like telnet or ssh. Apparently also his computer cannot reach mine.
My computer does not have a firewall. The router (as far as I know) does not filter outbound connections. (Netgear DG834G)