"Source routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes."
If we take that the normal traffic flow from the attacker to the server goes via "router a", "router b", "router c", a firewall and finally to the victim we have our standard scenario for routing traffic over the Internet.
The routing could be made to go via "router a", "router b", "trusted host", the firewall and finally to the victim using the source IP of the trusted host.
If for instance, the external trusted host is allowed through the firewall ruleset based on source IP address, the attacker could bounce off this host in order to gain access to the internal network. This attack works as the Trusted host retransmits the packet using its own IP address as the source address.
Many of the low end "Nat Based Firewalls" available in the market are not true firewalls. Rather than setting up ACL's to filter traffic they rely on a combination of NAT and private IP addressing to protect the internal network. Many of these boxes will respond to lose source routing. That is they will forward packets that are received through source routing to their internal network. The most insidious part of this is that they will use the internal IP address of the firewall as the source address of the packet which may even enable them to bypass many host-based firewall rules.
Having to guess the internal network of the victim may slow the attacker down a little, but being that the majority of these boxes default to an internal network of 192.168.0.x or 192.168.1.x makes this easier. Further, as I have mentioned in a previous post, it is generally simple to have the router respond with its internal interface. This of course is a dead giveaway to the internal network.
Many tools (even NC - Netcat) support a source route option. This allows the attacker to select the path that is taken to the host and also the return path. So setting the attack up the attacker will source route to the trusted host which will be the last system outside the target's router or firewall .
Due to source routing, packets sent to the trusted host follow the reverse of the source route used to reach the trusted host and return to the attacker - even if they are using a "non-routed" public IP address.
Source route allows the packets to follow a set path. It does not require the standard routing protocols and is thus dangerous. Source routing is used in a number of multicast protocols (still) and many are loath to disable it.
There are two primary types of source routing - Loose Source Routing and Strict Source Routing. ISS has a good paper on this topic. Have a read of it.