The shorewall documentation explains in http://shorewall.org/Docker.html how to configure shorewall for use with docker. The problem with the configuration is that it only allows connections from the host to the main bridge docker0. Connections to other networks on dynamically created bridges, with names starting by default with br-, is blocked. Instead of the recommended contents of /etc/shorewall/interfaces, use wild-card interface names as follows:
#ZONE INTERFACE OPTIONS
#dock docker0 bridge # disabled default recommendation
dock docker0 physical=docker+,routeback=1
dock br physical=br-+,routeback=1