diff --git a/go-mmproxy.service.example b/go-mmproxy.service.example
index 1e87b1f..908f50f 100644
--- a/go-mmproxy.service.example
+++ b/go-mmproxy.service.example
@@ -3,20 +3,54 @@ Description=go-mmproxy
 After=network.target
 
 [Service]
-Type=simple
+User=go-mmproxy
+Group=go-mmproxy
+
 LimitNOFILE=65535
-ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
-ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123
-ExecStartPost=/sbin/ip -6 rule add from ::1/128 iif lo table 123
-ExecStartPost=/sbin/ip -6 route add local ::/0 dev lo table 123
+
+ExecStartPost=+/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
+ExecStartPost=+/sbin/ip route add local 0.0.0.0/0 dev lo table 123
+ExecStartPost=+/sbin/ip -6 rule add from ::1/128 iif lo table 123
+ExecStartPost=+/sbin/ip -6 route add local ::/0 dev lo table 123
+
 ExecStart=/usr/bin/go-mmproxy -4 127.0.0.1:1000 -6 "[::1]:1000" -allowed-subnets /usr/share/path-prefixes.txt -l 0.0.0.0:1234
-ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
-ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123
-ExecStopPost=/sbin/ip -6 rule del from ::1/128 iif lo table 123
-ExecStopPost=/sbin/ip -6 route del local ::/0 dev lo table 123
+
+ExecStopPost=+/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
+ExecStopPost=+/sbin/ip route del local 0.0.0.0/0 dev lo table 123
+ExecStopPost=+/sbin/ip -6 rule del from ::1/128 iif lo table 123
+ExecStopPost=+/sbin/ip -6 route del local ::/0 dev lo table 123
+
 Restart=on-failure
 RestartSec=10s
 
+AmbientCapabilities=CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_ADMIN
+
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+MountFlags=private
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal madvise setrlimit splice
+
 [Install]
 WantedBy=multi-user.target