--- title: About the iptables Resource --- # iptables Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
## Syntax A `iptables` resource block declares tests for rules in IP tables: describe iptables(rule:'name', table:'name', chain: 'name') do it { should have_rule('RULE') } end where * `iptables()` may specify any combination of `rule`, `table`, or `chain` * `rule:'name'` is the name of a rule that matches a set of packets * `table:'name'` is the packet matching table against which the test is run * `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN` * `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
## Examples The following examples show how to use this InSpec audit resource. ### Test if the INPUT chain is in default ACCEPT mode describe iptables do it { should have_rule('-P INPUT ACCEPT') } end ### Test if the INPUT chain from the mangle table is in ACCEPT mode describe iptables(table:'mangle', chain: 'INPUT') do it { should have_rule('-P INPUT ACCEPT') } end ### Test if there is a rule allowing Postgres (5432/TCP) traffic describe iptables do it { should have_rule('-A INPUT -p tcp -m tcp -m multiport --dports 5432 -m comment --comment "postgres" -j ACCEPT') } end Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.
## Matchers For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). ### have_rule The `have_rule` matcher tests the named rule against the information in the `iptables` file: it { should have_rule('RULE') }