diff --git a/gestion/gen_confs/firewall4/komaz.py b/gestion/gen_confs/firewall4/komaz.py
index b9b19095..a6cdaa28 100644
--- a/gestion/gen_confs/firewall4/komaz.py
+++ b/gestion/gen_confs/firewall4/komaz.py
@@ -129,6 +129,7 @@ class firewall(base.firewall_routeur):
         self.add(table, chain, '-j %s' % self.ssh_on_https(table))
         self.add(table, chain, '-j %s' % self.connexion_secours(table))
         self.add(table, chain, '-j %s' % self.blacklist_soft(table))
+        self.add(table, chain, '-j %s' % self.blacklist_hard(table))
 
         chain = 'POSTROUTING'
         self.add(table, chain, '-j %s' % self.connexion_wififederez(table))
@@ -367,6 +368,41 @@ class firewall(base.firewall_routeur):
             self.apply(table, chain)
         return chain
 
+    def blacklist_hard(self, table=None, fill_ipset=False, apply=False):
+        """Bloque tout, sauf le 80 pour afficher le portail captif"""
+        chain = 'BLACKLIST_HARD'
+
+        if fill_ipset:
+            # On récupère la liste de toutes les ips blacklistés hard
+            bl_hard_ips = self.blacklisted_ips(base.config.blacklist_sanctions, base.config.NETs['all'])
+            anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['hard'])
+            self.ipset['blacklist']['hard'].restore(bl_hard_ips)
+            print OK
+
+        if table == 'filter':
+            pretty_print(table, chain)
+            # Same as blacklist_soft: autorise le port 80 et 3128 vers soi-même
+            self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['hard'] )
+            self.add(table, chain, '-p tcp --sport 80 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['hard'] )
+            self.add(table, chain, '-p tcp -d 10.231.136.4 --dport 3128 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['hard'] )
+            self.add(table, chain, '-p tcp -s 10.231.136.4 --sport 3128 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['hard'] )
+            # Mais on continue en refusant le reste
+            self.add(table, chain, '-m set --match-set %s src -j REJECT' % self.ipset['blacklist']['hard'] )
+            self.add(table, chain, '-m set --match-set %s dst -j REJECT' % self.ipset['blacklist']['hard'] )
+            print OK
+
+        if table == 'nat':
+            pretty_print(table, chain)
+            for net in base.config.NETs['all']:
+                self.add(table, chain, '-d %s -j RETURN' % net)
+            self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j RETURN' % self.ipset['confirmation'] ) # Les gens qui ont cliqué -> fine !
+            self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j DNAT --to-destination 10.231.136.4:3128' % self.ipset['blacklist']['hard'] )
+            print OK
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
     def blacklist_upload_maj(self, ip_list):
         self.blacklist_upload(fill_ipset=True)
 #        for ip in ip_list: