How can someone hack my PC if I am connecting to the internet through NAT?

Generally speaking, most NAT boxes also happen to provide some firewall-like protection: they tend to block incoming connections.

This is not an inherent or necessary property of NAT; it is just that most consumer devices that provide NAT also happen to provide this sort of firewalling as well. (Technically speaking, NAT does not necessarily imply any blocking of incoming connections.)

Nonetheless, for NAT devices that do block inbound connections (i.e., most of them), you do get some of the benefits of a firewall. This makes it harder for someone to connect to your PCs behind the NAT and attack them. In practice, this provides a sort of "poor man's firewall" that works pretty well against a common class of attacks.

However, NAT is far from a silver bullet. People can still compromise your PC, even if your NAT, in a variety of ways:

  • A malicious website could exploit a vulnerability in your browser, a malicious email could exploit a vulnerability in your mail client, a social engineering attack could trick you into revealing your password or installing malware, a file you download over a file-sharing network could be malicious, and so on.

  • An attacker could attack your NAT box directly, e.g., by exploiting an open Wifi link, by drive-by pharming, by guessing your NAT box's administrator password, etc.

  • An attacker could fool your NAT into allowing an inbound connection, using the NAT pinning attack. This is basically a technical vulnerability in NAT boxes which illustrate that their incidental connection-blocking can in some cases be defeated.

For more detailed elaboration on all of these points, I recommend you read the answers to How important is NAT as a security layer? and What kind of attacks against home router's NAT do exist?. There is a lot of good information there.


Layers

I don't think looking at OSI layers is useful here. You're likely not vulnerable to layers below the IP protocol, since the internet only routes IP. And you're potentially vulnerable on all layers above. In practice most vulnerabilities are at the application layer.

I'd rather look at the problem by separating it into incoming and outgoing connections.

Outgoing connections

NAT doesn't interfere with those, apart from rewriting the IP address. If you're vulnerable without NAT, you're vulnerable with NAT in most cases here.

Typical vulnerabilities are buffer overflows in applications you use to access the internet. In particular in your browser, or in browser plugins.

Incoming connections

NAT by default blocks all incoming connections from the internet. This means if you're running some kind of server on your computer, it will not be accessible from the internet, and thus can't be easily exploited from there. This is mainly useful for servers, like windows filesharing.

But you don't need NAT to get this. You could just as well use a firewall that blocks incoming connections.

Conclusion

The main thing NAT gains you in terms of security is blocking servers you run accidentially.


Defining incoming/outgoing connections for UDP is a bit harder. But since hole-punching requires your computer to send messages before being able to receive messages from a certain peer, counting those connections as outgoing works in this context.