ACL that only allow autogroup:shared to use the nodes as exit?

I have tailscale installed on some servers and they are running some services I don’t want to expose to shared node users.

But I do want those shared node users to use those servers as exit node (deny every ports except ports used for exit node connection).

I didn’t find anything relate to ports used for exit node internet access and I tried to use

			"action": "accept",
			"src":    ["autogroup:shared"],
			"dst":    ["server1:*", "server2:*", "server3:*"],

but this is not want I want.

It would be really helpful if anyone with experience of how to configure ACL to only allow connection initiated from “src”: [“autogroup:shared”] to my tailnet to use the node as exit for internet access but not anything else?

Thanks in advance!

actually never mind, please see following documentation and search for autogroup:internet