diff --git a/.github/workflows/test-startup.yml b/.github/workflows/test-startup.yml
index 3146ea5..bb9ff91 100644
--- a/.github/workflows/test-startup.yml
+++ b/.github/workflows/test-startup.yml
@@ -21,18 +21,15 @@ jobs:
         run: go build -v ./...
 
       - name: Install go-mmproxy
-        run: sudo cp go-mmproxy /usr/bin/go-mmproxy
-
-      - name: Add net-prefixes.txt
-        run: echo 192.168.0.0/16 | sudo tee /usr/share/net-prefixes.txt
-
-      - name: Install the systemd service
         run: |
+          sudo cp go-mmproxy /usr/bin/go-mmproxy
+          sudo mkdir /etc/go-mmproxy
+          echo 192.168.0.0/16 | sudo tee /etc/go-mmproxy/net-prefixes.txt
           sudo cp go-mmproxy.service.example /etc/systemd/system/go-mmproxy.service
           sudo systemctl daemon-reload
 
       - name: Start go-mmproxy
-        run: sudo systemctl start go-mmproxy
+        run: sudo systemctl start go-mmproxy || sudo systemctl status go-mmproxy.service
 
       - name: Check go-mmproxy status
         run: systemctl is-active go-mmproxy
diff --git a/go-mmproxy.service.example b/go-mmproxy.service.example
index 9924321..ae291dd 100644
--- a/go-mmproxy.service.example
+++ b/go-mmproxy.service.example
@@ -5,17 +5,22 @@ After=network.target
 [Service]
 Type=simple
 LimitNOFILE=65535
-ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
-ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123
-ExecStartPost=/sbin/ip -6 rule add from ::1/128 iif lo table 123
-ExecStartPost=/sbin/ip -6 route add local ::/0 dev lo table 123
-ExecStart=/usr/bin/go-mmproxy -4 127.0.0.1:1000 -6 "[::1]:1000" -allowed-subnets /usr/share/net-prefixes.txt -l 0.0.0.0:1234
-ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
-ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123
-ExecStopPost=/sbin/ip -6 rule del from ::1/128 iif lo table 123
-ExecStopPost=/sbin/ip -6 route del local ::/0 dev lo table 123
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+ExecStartPost=+/sbin/ip rule add from 127.0.0.1/8 iif lo table 123
+ExecStartPost=+/sbin/ip route add local 0.0.0.0/0 dev lo table 123
+ExecStartPost=+/sbin/ip -6 rule add from ::1/128 iif lo table 123
+ExecStartPost=+/sbin/ip -6 route add local ::/0 dev lo table 123
+ExecStart=/usr/bin/go-mmproxy -4 127.0.0.1:1000 -6 "[::1]:1000" -allowed-subnets /etc/go-mmproxy/net-prefixes.txt -l 0.0.0.0:1234
+ExecStopPost=+/sbin/ip rule del from 127.0.0.1/8 iif lo table 123
+ExecStopPost=+/sbin/ip route del local 0.0.0.0/0 dev lo table 123
+ExecStopPost=+/sbin/ip -6 rule del from ::1/128 iif lo table 123
+ExecStopPost=+/sbin/ip -6 route del local ::/0 dev lo table 123
 Restart=on-failure
 RestartSec=10s
+DynamicUser=yes
+ProtectSystem=full
+PrivateTmp=true
+WorkingDirectory=/tmp
 
 [Install]
 WantedBy=multi-user.target