What is it you're trying to accomplish?

If your router (NAT device/firewall) does not forward traffic, then you can't get beyond it to your network.

Typically the border device (router or firewall) forwards traffic it receives per its ruleset to the correct internal server.

i must say that your post isnt really clear. Are you trying to scan through the internal network or through the internet? if you cant see any ports your firewall does its work good. you must open them to connect to the other system. remember that there has to be a service behind it also!

@unsupported

you mentioned that one could flood a router or do ARP poisoning in order to capture the traffic. But doesn't a router operate in Layer-3? As far as I am concerned a router is not affected by such an attack?

or am I wrong?

i'm scanning through the internet remote computer so for instance i'm on my laptop going into my router i have a dyndns account set up so it's straight through i'm not forwarding any ports and nmap reads the following:

PORT    STATE    SERVICE     VERSION
21/tcp  filtered ftp
22/tcp  filtered ssh
53/tcp  filtered domain
80/tcp  filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
143/tcp filtered imap
443/tcp filtered https

so everything is filtered at the router itself is there anyway through that or would you say it's pretty secure?

In a rather generic nutshell -

ARP poisoning basically tricks devices on the network into associating an IP address from a valid host (or router) to another host or router, by propagating the secondary device's MAC address into the ARP tables.

ok so I get that now and the man in the middle attack and sniffing the data. But what i'm trying to figure out is ok so we have this router I use ettercap or whatever tool to do the arp poisoning and route the packets through my computer first and then to the router so i see the packets all in pretty much hex and really doesn't make much sense i can read and binary but not sure what i'm looking at with the sniffing here but then how from there how would i select the specific computer and ultimately get a shell on it which is my ultimate goal to learn to do? Like I said i'm kinda new to this and more of a hands on type of learner which is why i set the network up in my house like this and pretty much closed everything to see if what i read in several books and what not i could put to actual use and then go from there to secure it more and then try to break it again LOL.

It depends on what the data is, that you sniff.  You can read the ascii text in packets, so if you happen to be sniffing, for example, traffic going to an html login page that isn't ssl encrypted, you might see plaintext passwords, and the like.  You might also see, as Ketchup noted, a relevant filename, xss vulnerabilities, or exploitable php script being accessed, etc.  Consequently, you might see other ports and services show up in the trace, that you weren't aware of, that are open on the server being queried, so you can then banner grab or research and target attacks that are relevant to the services running on those ports.  This is all a learning process, and there are often times, when I'm scanning in this fashion, that I spot new services and ports that I wasn't previously aware of (new stuff, yay!) and I can learn what those services are, and how to exploit them.

It's a process, but one worth learning, as, even if you DON'T pursue security, in the end, you will have a much better knowledge of what goes on within the network in question.