diff --git a/README.md b/README.md
index 517d615..8b6ee4e 100644
--- a/README.md
+++ b/README.md
@@ -205,11 +205,11 @@ and `CAP_NET_ADMIN` for transparent proxying (see
 You can use the `setcap(8)` utility to give these capabilities
 to the executable:
 
-	# setcap cap_net_bind_service,cap_net_admin+pe sslh-select
+	sudo setcap cap_net_bind_service,cap_net_admin+pe sslh-select
 
 Then you can run sslh-select as an unpriviledged user, e.g.:
 
-	$ sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443
+	sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443
 
 Caveat: `CAP_NET_ADMIN` does give sslh too many rights, e.g.
 configuring the interface. If you're not going to use
@@ -235,46 +235,46 @@ The firewalling tables also need to be adjusted as follows.
 I don't think it is possible to have `httpd` and `sslh` both listen to 443 in
 this scheme -- let me know if you manage that:
 
-	$ # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination
-	$ sysctl -w net.ipv4.conf.default.route_localnet=1
-	$ sysctl -w net.ipv4.conf.all.route_localnet=1
+	# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination
+	sysctl -w net.ipv4.conf.default.route_localnet=1
+	sysctl -w net.ipv4.conf.all.route_localnet=1
 
-	$ # DROP martian packets as they would have been if route_localnet was zero
-	$ # Note: packets not leaving the server aren't affected by this, thus sslh will still work
-	$ iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
-	$ iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+	# DROP martian packets as they would have been if route_localnet was zero
+	# Note: packets not leaving the server aren't affected by this, thus sslh will still work
+	iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+	iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
 
-	$ # Mark all connections made by ssl for special treatment (here sslh is run as user "sslh")
-	$ iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+	# Mark all connections made by ssl for special treatment (here sslh is run as user "sslh")
+	iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
 
-	$ # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark)
-	$ iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+	# Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark)
+	iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-	$ # Configure routing for those marked packets
-	$ ip rule add fwmark 0x1 lookup 100
-	$ ip route add local 0.0.0.0/0 dev lo table 100
+	# Configure routing for those marked packets
+	ip rule add fwmark 0x1 lookup 100
+	ip route add local 0.0.0.0/0 dev lo table 100
 
 Tranparent proxying with IPv6 is similarly set up as follows:
 
-	$ # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination
-	$ # Not sure if this is needed for ipv6 though
-	$ sysctl -w net.ipv4.conf.default.route_localnet=1
-	$ sysctl -w net.ipv4.conf.all.route_localnet=1
+	# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination
+	# Not sure if this is needed for ipv6 though
+	sysctl -w net.ipv4.conf.default.route_localnet=1
+	sysctl -w net.ipv4.conf.all.route_localnet=1
 
-	$ # DROP martian packets as they would have been if route_localnet was zero
-	$ # Note: packets not leaving the server aren't affected by this, thus sslh will still work
-	$ ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP
-	$ ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP
+	# DROP martian packets as they would have been if route_localnet was zero
+	# Note: packets not leaving the server aren't affected by this, thus sslh will still work
+	ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP
+	ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP
 
-	$ # Mark all connections made by ssl for special treatment (here sslh is run as user "sslh")
-	$ ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+	# Mark all connections made by ssl for special treatment (here sslh is run as user "sslh")
+	ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
 
-	$ # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark)
-	$ ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+	# Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark)
+	ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-	$ # Configure routing for those marked packets
-	$ ip -6 rule add fwmark 0x1 lookup 100
-	$ ip -6 route add local ::/0 dev lo table 100
+	# Configure routing for those marked packets
+	ip -6 rule add fwmark 0x1 lookup 100
+	ip -6 route add local ::/0 dev lo table 100
 
 Explanation:
 To be able to use `localhost` as destination in your sslh config along with transparent proxying