IPTables and SNAT for just two ports
The key to iptables is the first match wins.
Assuming the client machine is 10.10.1.10
then you just have to look at these rules in order. If the first rule doesn't match it is going to pass down MASQ rule which it will match.
-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -o eth0 -j MASQUERADE
If you were to add another rule before the final MASQUERADE
rule should result in the NAT not happening. Since the packets from 10.10.1.10 will that are not destined to tcp/80 or tcp/443 will match the ACCEPT rule, meaning that they will not be translated by the SNAT/MASQ rules.
-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -s 10.10.1.10 -p tcp --dport 443-j SNAT --to-source 1.2.3.4:443
-A POSTROUTING -s 10.10.1.10 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE