diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index f599faa25..e88d1b21f 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -435,13 +435,27 @@ def self.rule_to_hash(line, table, counter)
     end
 
     # Manually remove chain
-    values.slice!('-A')
-    keys << :chain
+    if values =~ /(\s|^)-A\s/
+      values = values.sub(/(\s|^)-A\s/, '\1')
+      keys << :chain
+    end
+
+    # Manually remove table (used in some tests)
+    if values =~ /^-t\s/
+      values = values.sub(/^-t\s/, '')
+      keys << :table
+    end
+
+    valrev = values.scan(/("([^"\\]|\\.)*"|\S+)/).transpose[0].reverse
+
+    if keys.length != valrev.length then
+      raise "Parser error: keys (#{keys.length}) and values (#{valrev.length}) count mismatch on line: #{line}"
+    end
 
     # Here we generate the main hash by scanning arguments off the values
     # string, handling any quoted characters present in the value, and then
     # zipping the values with the array of keys.
-    keys.zip(values.scan(/("([^"\\]|\\.)*"|\S+)/).transpose[0].reverse) do |f, v|
+    keys.zip(valrev) do |f, v|
       if v =~ /^".*"$/ then
         hash[f] = v.sub(/^"(.*)"$/, '\1').gsub(/\\(\\|'|")/, '\1')
       else
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 164f67ded..53e0b4169 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -663,6 +663,12 @@
       :proto        => "tcp",
     },
   },
+  'parser_sanity_check' => {
+    :line   => '-A INPUT -s 1.2.3.4/32 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "004 parser sanity check" -j ACCEPT',
+    :table  => 'filter',
+    :raise_error => true,
+    :params => {},
+  },
 }
 
 # This hash is for testing converting a hash to an argument line.
@@ -1275,4 +1281,4 @@
     },
     :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "003 nfqueue dont specify queue_num or queue_bypass", "-j", "NFQUEUE"]
   }  
-}
\ No newline at end of file
+}
diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb
index f9316d96a..eb85e8876 100644
--- a/spec/unit/puppet/provider/iptables_spec.rb
+++ b/spec/unit/puppet/provider/iptables_spec.rb
@@ -215,6 +215,13 @@
     ARGS_TO_HASH.each do |test_name,data|
       describe "for test data '#{test_name}'" do
         let(:resource) { provider.rule_to_hash(data[:line], data[:table], 0) }
+        # If this option is enabled, make sure the error was raised
+        if data[:raise_error] then
+          it "the input rules should raise an error by rules_to_hash" do
+            expect{ resource }.to raise_error
+          end
+        end
+
         # If this option is enabled, make sure the parameters exactly match
         if data[:compare_all] then
           it "the parameter hash keys should be the same as returned by rules_to_hash" do