diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb
@@ -18,8 +18,8 @@
       end
 
       it 'finds the chain' do
-        shell('iptables -S') do |r|
-          expect(r.stdout).to match(/-N MY_CHAIN/)
+        shell('iptables-save') do |r|
+          expect(r.stdout).to match(/MY_CHAIN/)
         end
       end
     end
@@ -37,8 +37,8 @@
       end
 
       it 'fails to find the chain' do
-        shell('iptables -S') do |r|
-          expect(r.stdout).to_not match(/-N MY_CHAIN/)
+        shell('iptables-save') do |r|
+          expect(r.stdout).to_not match(/MY_CHAIN/)
         end
       end
     end
@@ -116,8 +116,8 @@
       end
 
       it 'finds the chain' do
-        shell('iptables -S') do |r|
-          expect(r.stdout).to match(/-P FORWARD DROP/)
+        shell('iptables-save') do |r|
+          expect(r.stdout).to match(/FORWARD DROP/)
         end
       end
     end

diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb
@@ -1,93 +1,113 @@
 require 'spec_helper_acceptance'
 
-describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do
-  before :all do
-    ip6tables_flush_all_tables
-  end
+if default['platform'] =~ /el-5/
+  describe "firewall ip6tables doesn't work on 1.3.5 because --comment is missing" do
+    before :all do
+      ip6tables_flush_all_tables
+    end
 
-  shared_examples "is idempotent" do |values, line_match|
-    it "changes the values to #{values}" do
+    it "can't use ip6tables" do
       pp = <<-EOS
-          class { '::firewall': }
-          firewall { '599 - test':
-            ensure   => present,
-            proto    => 'tcp',
-            provider => 'ip6tables',
-            #{values}
-          }
+        class { '::firewall': }
+        firewall { '599 - test':
+          ensure   => present,
+          proto    => 'tcp',
+          provider => 'ip6tables',
+        }
       EOS
-
-      apply_manifest(pp, :catch_failures => true)
-      apply_manifest(pp, :catch_changes => true)
-
-      shell('ip6tables -S') do |r|
-        expect(r.stdout).to match(/#{line_match}/)
-      end
+      expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/ip6tables provider is not supported/)
     end
   end
-  shared_examples "doesn't change" do |values, line_match|
-    it "doesn't change the values to #{values}" do
-      pp = <<-EOS
-          class { '::firewall': }
-          firewall { '599 - test':
-            ensure   => present,
-            proto    => 'tcp',
-            provider => 'ip6tables',
-            #{values}
-          }
-      EOS
+else
+  describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do
+    before :all do
+      ip6tables_flush_all_tables
+    end
 
-      apply_manifest(pp, :catch_changes => true)
+    shared_examples "is idempotent" do |values, line_match|
+      it "changes the values to #{values}" do
+        pp = <<-EOS
+            class { '::firewall': }
+            firewall { '599 - test':
+              ensure   => present,
+              proto    => 'tcp',
+              provider => 'ip6tables',
+              #{values}
+            }
+        EOS
 
-      shell('ip6tables -S') do |r|
-        expect(r.stdout).to match(/#{line_match}/)
-      end
-    end
-  end
+        apply_manifest(pp, :catch_failures => true)
+        apply_manifest(pp, :catch_changes => true)
 
-  describe 'adding a rule' do
-    context 'when unset' do
-      before :all do
-        ip6tables_flush_all_tables
+        shell('ip6tables-save') do |r|
+          expect(r.stdout).to match(/#{line_match}/)
+        end
       end
-      it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/
     end
-    context 'when set to true' do
-      before :all do
-        ip6tables_flush_all_tables
-      end
-      it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
-    end
-    context 'when set to false' do
-      before :all do
-        ip6tables_flush_all_tables
+    shared_examples "doesn't change" do |values, line_match|
+      it "doesn't change the values to #{values}" do
+        pp = <<-EOS
+            class { '::firewall': }
+            firewall { '599 - test':
+              ensure   => present,
+              proto    => 'tcp',
+              provider => 'ip6tables',
+              #{values}
+            }
+        EOS
+
+        apply_manifest(pp, :catch_changes => true)
+
+        shell('ip6tables-save') do |r|
+          expect(r.stdout).to match(/#{line_match}/)
+        end
       end
-      it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
     end
-  end
-  describe 'editing a rule' do
-    context 'when unset or false' do
-      before :each do
-        ip6tables_flush_all_tables
-        shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
-      end
-      context 'and current value is false' do
-        it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
+
+    describe 'adding a rule' do
+      context 'when unset' do
+        before :all do
+          ip6tables_flush_all_tables
+        end
+        it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/
       end
-      context 'and current value is true' do
+      context 'when set to true' do
+        before :all do
+          ip6tables_flush_all_tables
+        end
         it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
       end
-    end
-    context 'when set to true' do
-      before :each do
-        ip6tables_flush_all_tables
-        shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
-      end
-      context 'and current value is false' do
+      context 'when set to false' do
+        before :all do
+          ip6tables_flush_all_tables
+        end
         it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
       end
-      context 'and current value is true' do
-        it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
+    end
+    describe 'editing a rule' do
+      context 'when unset or false' do
+        before :each do
+          ip6tables_flush_all_tables
+          shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
+        end
+        context 'and current value is false' do
+          it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
+        end
+        context 'and current value is true' do
+          it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
+        end
+      end
+      context 'when set to true' do
+        before :each do
+          ip6tables_flush_all_tables
+          shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
+        end
+        context 'and current value is false' do
+          it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
+        end
+        context 'and current value is true' do
+          it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
+        end
       end
     end
   end

diff --git a/spec/acceptance/isfragment_spec.rb b/spec/acceptance/isfragment_spec.rb
@@ -19,7 +19,7 @@ class { '::firewall': }
       apply_manifest(pp, :catch_failures => true)
       apply_manifest(pp, :catch_changes => true)
 
-      shell('iptables -S') do |r|
+      shell('iptables-save') do |r|
         expect(r.stdout).to match(/#{line_match}/)
       end
     end
@@ -37,7 +37,7 @@ class { '::firewall': }
 
       apply_manifest(pp, :catch_changes => true)
 
-      shell('iptables -S') do |r|
+      shell('iptables-save') do |r|
         expect(r.stdout).to match(/#{line_match}/)
       end
     end
@@ -67,7 +67,7 @@ class { '::firewall': }
     context 'when unset or false' do
       before :each do
         iptables_flush_all_tables
-        shell('/sbin/iptables -A INPUT -p tcp -m comment --comment "597 - test"')
+        shell('iptables -A INPUT -p tcp -m comment --comment "597 - test"')
       end
       context 'and current value is false' do
         it_behaves_like "doesn't change", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/
@@ -79,7 +79,7 @@ class { '::firewall': }
     context 'when set to true' do
       before :each do
         iptables_flush_all_tables
-        shell('/sbin/iptables -A INPUT -p tcp -f -m comment --comment "597 - test"')
+        shell('iptables -A INPUT -p tcp -f -m comment --comment "597 - test"')
       end
       context 'and current value is false' do
         it_behaves_like "is idempotent", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/

diff --git a/spec/acceptance/nodesets/centos-59-x64-pe.yml b/spec/acceptance/nodesets/centos-59-x64-pe.yml
@@ -0,0 +1,12 @@
+HOSTS:
+  centos-59-x64:
+    roles:
+      - master
+      - database
+      - console
+    platform: el-5-x86_64
+    box : centos-59-x64-vbox4210-nocm
+    box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box
+    hypervisor : vagrant
+CONFIG:
+  type: pe
diff --git a/spec/acceptance/params_spec.rb b/spec/acceptance/params_spec.rb
@@ -20,23 +20,19 @@ def pp(params)
     pm
   end
 
-  it 'test various params' do
+  it 'test various params', :unless => (default['platform'].match(/el-5/) || fact('operatingsystem') == 'SLES') do
     iptables_flush_all_tables
 
-    unless (fact('operatingsystem') == 'CentOS') && \
-      fact('operatingsystemrelease') =~ /^5\./ then
-
-      ppm = pp({
-        'table' => "'raw'",
-        'socket' => 'true',
-        'chain' => "'PREROUTING'",
-        'jump' => 'LOG',
-        'log_level' => 'debug',
-      })
+    ppm = pp({
+      'table' => "'raw'",
+      'socket' => 'true',
+      'chain' => "'PREROUTING'",
+      'jump' => 'LOG',
+      'log_level' => 'debug',
+    })
 
-      expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
-      expect(apply_manifest(ppm, :catch_failures => true).exit_code).to be_zero
-    end
+    expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
+    expect(apply_manifest(ppm, :catch_failures => true).exit_code).to be_zero
   end
 
   it 'test log rule' do

diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb
@@ -5,8 +5,8 @@
     before(:all) do
       iptables_flush_all_tables
 
-      shell('/sbin/iptables -A INPUT -s 1.2.1.2')
-      shell('/sbin/iptables -A INPUT -s 1.2.1.2')
+      shell('iptables -A INPUT -s 1.2.1.2')
+      shell('iptables -A INPUT -s 1.2.1.2')
     end
 
     it 'make sure duplicate existing rules get purged' do
@@ -22,7 +22,7 @@ class { 'firewall': }
     end
 
     it 'saves' do
-      shell('/sbin/iptables-save') do |r|
+      shell('iptables-save') do |r|
         expect(r.stdout).to_not match(/1\.2\.1\.2/)
         expect(r.stderr).to eq("")
       end
@@ -33,9 +33,9 @@ class { 'firewall': }
     before(:each) do
       iptables_flush_all_tables
 
-      shell('/sbin/iptables -A INPUT -p tcp -s 1.2.1.1')
-      shell('/sbin/iptables -A INPUT -p udp -s 1.2.1.1')
-      shell('/sbin/iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
+      shell('iptables -A INPUT -p tcp -s 1.2.1.1')
+      shell('iptables -A INPUT -p udp -s 1.2.1.1')
+      shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
     end
 
     it 'purges only the specified chain' do
@@ -48,7 +48,7 @@ class { 'firewall': }
 
       apply_manifest(pp, :expect_changes => true)
 
-      shell('/sbin/iptables-save') do |r|
+      shell('iptables-save') do |r|
         expect(r.stdout).to match(/010 output-1\.2\.1\.2/)
         expect(r.stdout).to_not match(/1\.2\.1\.1/)
         expect(r.stderr).to eq("")
@@ -118,7 +118,7 @@ class { 'firewall': }
 
       apply_manifest(pp, :catch_failures => true)
 
-      expect(shell('/sbin/iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1\/32 -p tcp \n-A INPUT -s 1\.2\.1\.1\/32 -p udp/)
+      expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
     end
   end
 end
diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb
@@ -32,7 +32,7 @@
   context 'accepts rules without comments' do
     before(:all) do
       iptables_flush_all_tables
-      shell('/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80')
+      shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80')
     end
 
     it do
@@ -47,7 +47,7 @@
   context 'accepts rules with invalid comments' do
     before(:all) do
       iptables_flush_all_tables
-      shell('/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
+      shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
     end
 
     it do
@@ -62,9 +62,9 @@
   context 'accepts rules with negation' do
     before :all do
       iptables_flush_all_tables
-      shell('/sbin/iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535')
-      shell('/sbin/iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535')
-      shell('/sbin/iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE')
+      shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535')
+      shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535')
+      shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE')
     end
 
     it do
@@ -79,7 +79,7 @@
   context 'accepts rules with match extension tcp flag' do
     before :all do
       iptables_flush_all_tables
-      shell('/sbin/iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
+      shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
     end
 
     it do

diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb
@@ -98,16 +98,18 @@
   end
 
   it 'contains appropriate rules' do
-    shell('iptables -S') do |r|
-      expect(r.stdout).to eq(
-        "-P INPUT ACCEPT\n" +
-        "-P FORWARD ACCEPT\n" +
-        "-P OUTPUT ACCEPT\n" +
-        "-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -m comment --comment \"090 forward allow local\" -j ACCEPT \n" +
-        "-A FORWARD -s 10.0.0.0/8 ! -d 10.0.0.0/8 -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT \n" +
-        "-A FORWARD -s 10.0.0.0/8 ! -d 10.0.0.0/8 -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT \n" +
-        "-A FORWARD -s 10.0.0.0/8 ! -d 10.0.0.0/8 -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT \n"
-      )
+    shell('iptables-save') do |r|
+      [
+        /INPUT ACCEPT/,
+        /FORWARD ACCEPT/,
+        /OUTPUT ACCEPT/,
+        /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/,
+        /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/,
+        /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/,
+        /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/
+      ].each do |line|
+        expect(r.stdout).to match(line)
+      end
     end
   end
 end
@@ -225,24 +227,26 @@ class { '::firewall': }
   end
 
   it 'contains appropriate rules' do
-    shell('iptables -S') do |r|
-      expect(r.stdout).to eq(
-        "-P INPUT DROP\n" +
-        "-P FORWARD DROP\n" +
-        "-P OUTPUT ACCEPT\n" +
-        "-N LOCAL_INPUT\n" +
-        "-N LOCAL_INPUT_PRE\n" +
-        "-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE \n" +
-        "-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT \n" +
-        "-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT \n" +
-        "-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT \n" +
-        "-A INPUT -s 10.0.0.0/8 -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT \n" +
-        "-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT \n" +
-        "-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT \n" +
-        "-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT \n" +
-        "-A INPUT -m comment --comment \"999 reject\" -j REJECT --reject-with icmp-host-prohibited \n" +
-        "-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT \n"
-      )
+    shell('iptables-save') do |r|
+      [
+        /INPUT DROP/,
+        /FORWARD DROP/,
+        /OUTPUT ACCEPT/,
+        /LOCAL_INPUT/,
+        /LOCAL_INPUT_PRE/,
+        /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/,
+        /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/,
+        /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/,
+        /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/,
+        /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/,
+        /-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/,
+        /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/,
+        /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/,
+        /-A INPUT -m comment --comment \"999 reject\" -j REJECT --reject-with icmp-host-prohibited/,
+        /-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/
+      ].each do |line|
+        expect(r.stdout).to match(line)
+      end
     end
   end
 end
diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb
@@ -1,6 +1,7 @@
 require 'spec_helper_acceptance'
 
-describe 'firewall socket property' do
+# RHEL5 does not support -m socket
+describe 'firewall socket property', :unless => (default['platform'] =~ /el-5/ || fact('operatingsystem') == 'SLES') do
   before :all do
     iptables_flush_all_tables
   end
@@ -21,7 +22,7 @@ class { '::firewall': }
       apply_manifest(pp, :catch_failures => true)
       apply_manifest(pp, :catch_changes => true)
 
-      shell('iptables -t raw -S') do |r|
+      shell('iptables-save -t raw') do |r|
         expect(r.stdout).to match(/#{line_match}/)
       end
     end
@@ -41,7 +42,7 @@ class { '::firewall': }
 
       apply_manifest(pp, :catch_changes => true)
 
-      shell('iptables -t raw -S') do |r|
+      shell('iptables-save -t raw') do |r|
         expect(r.stdout).to match(/#{line_match}/)
       end
     end
@@ -71,7 +72,7 @@ class { '::firewall': }
     context 'when unset or false' do
       before :each do
         iptables_flush_all_tables
-        shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
+        shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
       end
       context 'and current value is false' do
         it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
@@ -83,7 +84,7 @@ class { '::firewall': }
     context 'when set to true' do
       before :each do
         iptables_flush_all_tables
-        shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
+        shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
       end
       context 'and current value is false' do
         it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/

diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
@@ -2,21 +2,27 @@
 
 def iptables_flush_all_tables
   ['filter', 'nat', 'mangle', 'raw'].each do |t|
-    expect(shell("/sbin/iptables -t #{t} -F").stderr).to eq("")
+    expect(shell("iptables -t #{t} -F").stderr).to eq("")
   end
 end
 
 def ip6tables_flush_all_tables
   ['filter'].each do |t|
-    expect(shell("/sbin/ip6tables -t #{t} -F").stderr).to eq("")
+    expect(shell("ip6tables -t #{t} -F").stderr).to eq("")
   end
 end
 
-hosts.each do |host|
-  # Install Puppet
-  install_package host, 'rubygems'
-  on host, 'gem install puppet --no-ri --no-rdoc'
-  on host, "mkdir -p #{host['distmoduledir']}"
+unless ENV['RS_PROVISION'] == 'no'
+  hosts.each do |host|
+    # Install Puppet
+    if host.is_pe?
+      install_pe
+    else
+      install_package host, 'rubygems'
+      on host, 'gem install puppet --no-ri --no-rdoc'
+      on host, "mkdir -p #{host['distmoduledir']}"
+    end
+  end
 end
 
 RSpec.configure do |c|

diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb
@@ -196,6 +196,11 @@
         allow(resource.provider.class).to receive(:instances).and_return(providers)
         expect(resource.provider.insert_order).to eq(9)
       end
+      it 'understands offsets for adding rules at the end' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '950 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(11)
+      end
     end
   end