diff --git a/roles/init-server/files/systemd/system/dsnet.service b/roles/init-server/files/systemd/system/dsnet.service
new file mode 100644
index 0000000..2538293
--- /dev/null
+++ b/roles/init-server/files/systemd/system/dsnet.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=dsnet
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/dsnet up
+ExecStop=/usr/bin/dsnet down
+RemainAfterExit=yes
+ExecReload=/usr/bin/dsnet sync
+
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff --git a/roles/init-server/files/systemd/system/thrunet.service b/roles/init-server/files/systemd/system/thrunet.service
new file mode 100644
index 0000000..71d7dc2
--- /dev/null
+++ b/roles/init-server/files/systemd/system/thrunet.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=thrunet
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/dsnet-forward.sh start
+ExecStop=/usr/local/bin/dsnet-forward.sh stop
+RemainAfterExit=yes
+# ExecReload=/usr/bin/dsnet sync
+
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff --git a/roles/init-server/files/usr/local/bin/dsnet-forward.sh b/roles/init-server/files/usr/local/bin/dsnet-forward.sh
new file mode 100755
index 0000000..a617366
--- /dev/null
+++ b/roles/init-server/files/usr/local/bin/dsnet-forward.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ "$1" == "start" ]]; then
+    /usr/sbin/iptables -A FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
+    /usr/sbin/iptables -t nat -A POSTROUTING -o dsnet -j MASQUERADE
+elif [[ "$1" == "stop" ]]; then
+    /usr/sbin/iptables -D FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
+    /usr/sbin/iptables -t nat -D POSTROUTING -o dsnet -j MASQUERADE
+fi
\ No newline at end of file