diff --git a/doc/ss-redir.asciidoc b/doc/ss-redir.asciidoc
index 1be1a9a7..242349c2 100644
--- a/doc/ss-redir.asciidoc
+++ b/doc/ss-redir.asciidoc
@@ -128,6 +128,7 @@ ss-redir requires netfilter's NAT function. Here is an example:
 ....
 # Create new chain
 root@Wrt:~# iptables -t nat -N SHADOWSOCKS
+root@Wrt:~# iptables -t mangle -N SHADOWSOCKS
 
 # Ignore your shadowsocks server's addresses
 # It's very IMPORTANT, just be careful.
@@ -149,8 +150,8 @@ root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
 root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
 
 # Add any UDP rules
-root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100
-root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100
+root@Wrt:~# ip route add local default dev lo table 100
+root@Wrt:~# ip rule add fwmark 1 lookup 100
 root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
 
 # Apply the rules