Wow. This is awesome. So essentially the client pretends to be a "hop" with a specifically crafted ICMP packet. The NAT simply forwards it along as if it were expecting it. Neat!
The only thing stopping this would be flooding these ICMP packets to pwnat servers. The server would get the wrong IP and do extra work. In practice, it would be difficult to figure out if pwnat is running since it probably isn't meant to be a long running process.
Also: I know that some providers prevent UDP forging on the "source" address. Do they do this also at the ICMP level? If so, I guess this is another set back.
The only thing stopping this would be flooding these ICMP packets to pwnat servers. The server would get the wrong IP and do extra work. In practice, it would be difficult to figure out if pwnat is running since it probably isn't meant to be a long running process.
Also: I know that some providers prevent UDP forging on the "source" address. Do they do this also at the ICMP level? If so, I guess this is another set back.