diff --git a/debian/shadowsocks-libev-local@.service b/debian/shadowsocks-libev-local@.service
index 3595f6c8..05d78cff 100644
--- a/debian/shadowsocks-libev-local@.service
+++ b/debian/shadowsocks-libev-local@.service
@@ -17,6 +17,7 @@ After=network.target
 [Service]
 Type=simple
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/%i.json
 
 [Install]
diff --git a/debian/shadowsocks-libev-redir@.service b/debian/shadowsocks-libev-redir@.service
index 420f1946..3fc2c8a6 100644
--- a/debian/shadowsocks-libev-redir@.service
+++ b/debian/shadowsocks-libev-redir@.service
@@ -17,6 +17,7 @@ After=network.target
 [Service]
 Type=simple
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks-libev/%i.json
 
 [Install]
diff --git a/debian/shadowsocks-libev-server@.service b/debian/shadowsocks-libev-server@.service
index b6469951..bf13c100 100644
--- a/debian/shadowsocks-libev-server@.service
+++ b/debian/shadowsocks-libev-server@.service
@@ -17,6 +17,7 @@ After=network.target
 [Service]
 Type=simple
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json
 
 [Install]
diff --git a/debian/shadowsocks-libev-tunnel@.service b/debian/shadowsocks-libev-tunnel@.service
index 3f9f8aef..1cdd56ba 100644
--- a/debian/shadowsocks-libev-tunnel@.service
+++ b/debian/shadowsocks-libev-tunnel@.service
@@ -17,6 +17,7 @@ After=network.target
 [Service]
 Type=simple
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks-libev/%i.json
 
 [Install]
diff --git a/debian/shadowsocks-libev.service b/debian/shadowsocks-libev.service
index c4489d53..1e0ffe47 100644
--- a/debian/shadowsocks-libev.service
+++ b/debian/shadowsocks-libev.service
@@ -16,6 +16,7 @@ After=network.target
 [Service]
 Type=simple
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 EnvironmentFile=/etc/default/shadowsocks-libev
 User=nobody
 Group=nogroup