IPTables – How to Configure SNAT for Just Two Ports

I want to set up some NAT policies so that certain machines will only have outbound access to http/https. They should not be able to do port scans or anything else from their machine.

Currently my NAT rules are:

-A PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.10.1.10
-A POSTROUTING -s 10.10.1.10 -j SNAT --to-source 1.2.3.4

And I have this shared rule:

-A POSTROUTING -o eth0 -j MASQUERADE

1.2.3.4 is a public IP, and 10.10.1.10 is an internal IP.

This allows all inbound and outbound access to NAT directly through.

I tried the following POSTROUTING rule instead of the one above:

-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80

However, that didn't seem to work. After adding that rule I could still use RDP from the workstation.

To recap, my goal is to allow certain workstations to only have http/https access to the Internet. All other outbound traffic should be blocked. All traffic should be allowed. I want all other workstations in the network to use the existing NAT policy to allow all outbound traffic to be NAT'ed.

Update
Based on @Zoredache's reply, I now have the following Postrouting rules.

-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 443 -j SNAT --to-source 1.2.3.4:443
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 53 -j SNAT --to-source 1.2.3.4:53
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m udp --dport 53 -j SNAT --to-source 1.2.3.4:53
-A POSTROUTING -s 10.10.1.10/32 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

They don't quite work yet but they are getting close. More in my reply to @Zoredache below.